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S. 2201, ONLINE PERSONAL PRIVACY ACT 


THURSDAY, APRIL 25, 2002, 

U.S. Senate, 

Committee on Commerce, Science, and Transportation, 

Washington, DC. 

The Committee met, pursuant to notice, at 10:15 a.m. in room 
SR-253, Russell Senate Office Building, Hon. Ernest F. Hollings, 
Chairman of the Committee, presiding. 

OPENING STATEMENT OF HON. ERNEST F. HOLLINGS, 

U.S. SENATOR FROM SOUTH CAROLINA 

The Chairman. The Committee will come to order. What we 
have, of course, is our online privacy bill before the Committee, and 
we have an actual bipartisan bill. The interesting thing is that — 
and I will put my full statement in the record, but we have got 14 
different laws and regulations offering different levels of notice, 
choice, access and everything else, we have got the Cable Act, the 
Junk Fax Act, the telemarketing privacy, the video privacy — I com- 
ment on that because you would think, in trying to propose privacy 
for the Internet, that we are doing something real radical — not at 
all. 

In fact, you look at the European practice, we have got some 135 
blue chip American corporations that have joined in their par- 
ticular opt-in online privacy provisions, which in a way in a couple 
of regards are even a little more stringent than ours, but be that 
as it may, the bipartisan bill sets a uniform Federal standard for 
the protection of online personal information, and the five core 
principles are consent, notice, access, security, enforcement. 

I want to particularly, of the nine cosponsors, thank Senators 
Inouye, Rockefeller, Breaux and Cleland, who started with us — this 
has been a sort of a 2-1/2 year exercise, and Senators Kerry, Ste- 
vens, and Burns now, who worked with us the past 7 months to 
craft a bill that takes care of the concerns, not just of the con- 
sumers but, of course, the industry itself. 

We do not want to do anything to stultify — in fact, it is this Sen- 
ator’s view that in providing privacy provisions we are actually es- 
tablishing trust and confidence in the Internet and therefore en- 
couraging and propagating better and increased use. It has a provi- 
sion for strong preemption. That is the certainty needed to resolve 
conflicting State standards. It has an opt-in protection for the sen- 
sitive personal information such as financial, health, ethnicity, reli- 
gious preference, sexual orientation. It has opt-out protection for 
nonsensitive personal information like marketplace purchases. It 
has reasonable access, reasonable security and a sensible enforce- 
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ment by the FTC and the State Attorneys General, of course with 
the private right of action. 

When we look at the Federal Trade Commission they have had 
some 5 years of studies, hearings, meetings with the industry off 
and on, and the last Federal Trade Commission recommended, in 
futility, that we legislate, because they could not get an agreed ap- 
proach, but you can see how the Federal Trade were treated. Eli 
Lilly exposed 700 Prozac patients and got just a slap on the wrist, 
so we have it in there as a private right of action with jurisdiction 
in the Federal court and a showing of actual harm. 

My full statement is in the record. Let me yield. Senator McCain. 
[The prepared statement of The Chairman follows:] 

Prepared Statement of Hon. Ernest F. Hollings, U.S. Senator from South 

Carolina 

Today the Commerce Committee will examine S. 2201, the Online Personal Pri- 
vacy Act of 2002 — a bipartisan bill that is sponsored by 10 Senators on this Com- 
mittee. We plan to report a bill in May, and that makes today’s hearing exceedingly 
timely. It’s past time for action on this issue, today will mark the 6th hearing on 
internet privacy in the last two Congresses. American consumers deserve better pri- 
vacy protection on the Internet. We intend to give it to them. 

I am pleased to be joined in my efforts by nine cosponsors on this Committee. We 
have those who were with me from the beginning — Senators Inouye, Rockefeller, 
Breaux, and Cleland. And we have additional support, from Senators Kerry, Nelson, 
Carnahan, Stevens and Burns. I particularly want to commend Senators Kerry, Ste- 
vens, and Burns, who have worked with me over the past seven months to craft the 
sensible, balanced approach that we introduced last week. 

Let me articulate the principles that allowed us to achieve strong bipartisan sup- 
port for our legislation — 

• Strong preemption (to give business the certainty it needs in the face of con- 
flicting state standards) 

• Opt-in protection for sensitive personal information (like your financial and 
health information, your ethnicity, religious preferences, or sexual orientation) 

• Opt-out protection for non-sensitive personal information (like your name and 
address, and marketplace purchases) 

• Reasonable access 

• Reasonable security 

• Sensible enforcement by the ftc and the state ags, with the limited exception 
of violations involving sensitive information, which permit a right of action in 
federal court, premised on a showing of actual harm. 

Why do we need legislation? Businesses keep confounding consumers with unclear 
privacy policies that state, “your privacy is important to us,” but subsequently out- 
line exceptions crafted to allow almost any use of personal information. Other Web 
sites don’t post privacy policies, safe in the knowledge that they face no legal jeop- 
ardy under current law for selling your information. 

Some have argued that Americans’ concerns about privacy no longer exist after 
September 11th. But poll after poll consistently demonstrates the American people 
want companies they patronize to seek their permission prior to using their personal 
information for commercial profit. As recently as February, a Harris survey found 
that 63% of Americans want internet privacy legislation. 

At the same time, advances in technology have provided the tools to seamlessly 
compile and enhance highly detailed personal profiles and histories of Internet 
users. Cookies and web bugs, and who knows what other technologies, all enable 
the surreptitious collection of individuals’ personal information, including every click 
of their computer mouse, online. 

Moreover, severe privacy breaches continue without consequence. Last year, Eli 
Lilly disclosed a list of hundreds of customers suffering from depression, bulimia, 
and obsessive compulsive disorder. Eli Lilly’s response? An apology, and a promise 
it won’t happen again. But an apology and a promise is not enough for those pa- 
tients whose medical history was divulged publicly. 
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Sensible privacy legislation like S. 2201 will stop this, promote consumer con- 
fidence, and bolster online commerce. A recent Forrester study reports that online 
businesses lost $15 billion due to consumer privacy concerns. Those numbers are 
significant in light of the economic downturn and its exaggerated impact on the high 
tech internet sector. Good privacy means good business and the internet economy 
could use a dose of that right now. 

The shame is that it has taken us this long to get here. It has been nearly two 
years since the FTC recommendation for Internet privacy legislation, which was 
reached after five years of diligent study. This recommendation was particularly 
credible in light of the FTC’s record of extensive analysis and its two prior rec- 
ommendations to allow self-regulation a chance to work. 

We will hear from our opponents today that it is unfair to regulate online only. 
But this argument is nothing more than a straw man designed to kill internet pri- 
vacy legislation. Does anyone remember a similar argument when we passed the 
children’s privacy legislation? Were children’s web sites complaining that we were 
regulating them differently from Toys-R-Us? Of course not. The internet industry 
supported that legislation. This Committee stands ready to pass similar legislation 
for all users. Lets start there and then we’ll see about the entire marketplace. 

Others will complain that our bill is premature — that we need to give the Gramm- 
Leach-Bliley financial privacy rules a chance to work, before we alter them for the 
Internet. Well — we’ve seen those rules, and they don’t work. 

Americans have been receiving billions of notices in the mail telling them they 
can opt-out of the sharing of their personal financial information by financial insti- 
tutions. These notices make a mockery of the claim that notice and opt-out provides 
sufficient protection for sensitive information. In many cases, the notices are inter- 
nally inconsistent and outright deceptive. 

We need to bring transparency and consistency to privacy protection on the inter- 
net by building on the many existing statutes that protect privacy for telephone cus- 
tomers, cable subscribers, video renters, credit card customers, and children on the 
internet. All Internet users deserve similar protection. 

Some forward thinking companies know this. Microsoft, Intel, Hewlett-Packard, 
Expedia, and Earthlink provide opt-in right now. 185 U.S. companies, Including, 
Microsoft, Intel, Hewlett-Packard, and one of the largest data collection companies, 
Axciom, have signed on to the EU Safe Harbor, which requires notice, opt-in for sen- 
sitive information, access and security. Why should European citizens be granted 
more protection than Americans? 

Finally, I want to note that the following high tech trade associations have called 
for privacy legislation that preempts state law, requires notice and an opportunity 
to opt-out (and sometimes, even opt-in): the Information Technology Industries Asso- 
ciation; the American Electronics Association; the Computer Systems Policy Project; 
and the Computer Technology Industry Association. Many of the members of these 
associations actually provide better privacy protection themselves, voluntarily. 

Despite the good intentions of these companies, unless we take action to establish 
common-sense protections that will deter bad actors, consumer fears will continue 
to stifle use of the internet as a trusted commercial medium. 

I look forward to our witness testimony, and the remarks of my distinguished 
former chairman, Senator McCain. 


STATEMENT OF HON. JOHN McCAIN, 

U.S. SENATOR FROM ARIZONA 

Senator McCain. Thank you, Mr. Chairman, and I want to thank 
you for holding this hearing today on the topic of online privacy 
and your recently introduced bill. I want to thank you for your con- 
tinued work on this important subject. It is clear that privacy con- 
tinues to concern many Americans who use the Internet. In a re- 
cent Harris interactive poll a majority of the respondents once 
again voiced their concerns over the use of their personal informa- 
tion online. 

In past hearings, this Committee has closely examined several 
issues with respect to online privacy legislation. We considered 
whether each of the four fair information principles, notice, choice, 
access, and security, should be mandated for online companies and, 
if so, how. We also addressed the questions of enforcement and pre- 
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emption of State law. The Chairman’s bill includes each of these 
elements and offers a solution that seeks compromise on some of 
the differences we have explored in prior hearings. 

Differences remain, however, particularly with respect to the pri- 
vate rights of action that this legislation creates, as well as the 
bill’s coverage of access and security. There are, on an even broader 
level, very significant practical challenges we need to consider with 
respect to how or if this legislation can be implemented. 

One challenge we face is the treatment of personally identifiable 
information that is collected from both online and offline sources, 
and then merged together in a single consumer data file. Many 
companies and institutions today operate in both the online and 
offline world. We see examples of this everywhere. The retail chain, 
Toys-R-Us, allows customers to shop for the same toys online at 
Amazon that they can buy in their stores and shopping centers. 
Many local banks have web sites that allow account holders to 
check balances, transfer funds between accounts, and write checks 
to pay their bills online. 

These businesses must collect and use personal information in 
both settings in order to provide their goods and services, and 
sometimes that information must be combined into one customer 
file. What happens to that combined information if we attempt to 
legislate for the online world without considering its collection or 
use in the offline one? Would the same types of notices be applied, 
even ones designed with the Internet in mind? 

As these two worlds merge, we must face the practical reality 
that restrictions intended for the online world may have unin- 
tended but significant impact on accepted business practices in the 
offline world. 

The second challenge is that Congress passed over 30 Federal 
laws that already protect the privacy of individuals. We have to be 
certain to carefully consider the effect of this bill on these existing 
laws, particularly if its enactment would create ambiguous or con- 
flicting requirements for business and greater confusion for con- 
sumers. 

I would also like to introduce two items into the record today 
that I believe are essential to our consideration of this legislation. 
The first are the letters of the Chairman and commissioners of the 
Federal Trade Commission that I received yesterday afternoon, a 
second is the 2001 survey of online privacy practices released by 
the Progress and Freedom Foundation in March, which duplicated 
the methodology used by the FTC in its 2000 report. 

The FTC has spent a considerable amount of time and resources 
addressing the issue of online privacy. After S. 2201 was intro- 
duced, I wrote a letter to each of the commissioners asking whether 
they believed legislation was needed and, if so, what it should con- 
tain. I also asked for their comments on the principle features of 
the legislation. Despite the short amount of time they had to spend, 
each commissioner did, and I thank them for their efforts. In sum- 
mary, two of the five commissioners believe that legislation is need- 
ed at this time and are supportive of the bill. The other three com- 
missioners, including the Chairman, expressed strong reservations 
about the workability of the provisions of S. 2201, and the need for 
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legislation in light of existing privacy law, increased FTC enforce- 
ment, and industry efforts to improve protections. 

I want to thank the witnesses for being with us today, and I will 
be interested in hearing their views on the legislation. Thank you, 
Mr. Chairman. 

The Chairman. Thank you. Senator Burns. 

STATEMENT OF HON. CONRAD BURNS, 

U.S. SENATOR FROM MONTANA 

Senator Burns. Thank you, Mr. Chairman. Thanks for holding 
this hearing today as we wrestle with this problem of privacy in 
the Internet world. As more and more of our daily activities move 
online, it is no surprise that privacy is the number one concern 
among Internet users. I should add that privacy or, rather, the lack 
of it, is also the top reason why nonusers have not yet ventured 
into the Internet. 

The reason for these well-justified concerns are clear. Americans 
have no safety net on privacy online. In fact, ever more sophisti- 
cated technologies are being developed to collect nearly limitless in- 
formation on individuals without their knowledge. Privacy is not 
just an individual rights concern, however. Online privacy is cen- 
tral to the future of the economic well-being of the Internet. The 
rate of growth of e-commerce is clearly being slowed by consumers’ 
rising and legitimate fears about privacy intrusion. Several studies 
pointed out that the privacy reason preventing more people from 
making purchases online is the lack of privacy. 

While the Internet has exhibited massive growth, currently less 
than one percent of all consumer retail spending is done online. In 
short, e-commerce still has a huge upside potential, but that poten- 
tial will never be fulfilled without the basic assurances of consumer 
privacy. To address these concerns, early in the 106th Congress, 
Senator Wyden and I introduced an Online Privacy Protection Act 
which was based on our shared view that while self-regulation 
should be encouraged, we need to also provide a strong enforce- 
ment mechanism to punish the bad actors. 

I remain convinced that the comprehensive private legislation is 
necessary to protect consumers, which is why I am the original co- 
sponsor of the bill the Committee is considering today, the Online 
Personal Privacy Act. The fact that the bipartisan bill was intro- 
duced last week with 10 cosponsors on the Committee shows a tre- 
mendous support for online privacy that exists on this Committee. 
The current bill is much improved from the previous versions, and, 
while it is not perfect by any means, I view it as a reasonable com- 
promise between the opt-out approach, which I favored previously, 
and the opt-in approach which the Chairman’s original bill incor- 
porated. 

I believe one of the strongest sections of the bill the Committee 
is considering today is its clear-cut preemption language. In re- 
sponse to the rising call for consumer privacy protection, the Inter- 
net risks being subject to a crazy quilt of conflicting regulations on 
a State-by-State basis. Already, for instance, the State of Min- 
nesota has passed a comprehensive online privacy bill out of its leg- 
islature, and California is moving along a similar track. An online 
privacy law is already on the books in Vermont, which requires an 



6 


opt-in by consumers before individuals’ financial or medical infor- 
mation can be shared with third parties. 

While the impulse behind these efforts is understandable, compa- 
nies need regulatory certainty in order to do business efficiently. 
Clearly, strong Federal preemption is needed and is provided in S. 
2201 . 

The robust security requirement is also a very positive aspect of 
the current bill. The bill simply requires web sites to maintain a 
reasonable procedure necessary to protect security, confidentiality, 
and integrity of personally identifiable information. In today’s era 
of hacker intrusion and identity theft, I view this section as abso- 
lutely essential to protect consumers. 

I would like to touch on the idea offered by many who oppose pri- 
vacy legislation that simply posting a privacy policy is the same as 
actually ensuring privacy for consumers. While I view the increas- 
ing trend toward posting privacy policies as a positive development, 
the fact remains that many of these policies are frustrating exer- 
cises in legalese. It becomes obvious from weeding through the ex- 
amples of these policies that most were designed with the goal of 
protecting the companies, rather than informing and empowering 
the consumers. 

A perfect example of the potential consequences of the legalistic 
approach toward privacy policies occurred earlier this month, when 
millions of consumers downloaded a file-swapping program called 
Kazaa. Only later did consumers realize that they had agreed to 
install software that could help turn their computers into nodes on 
a network controlled by a third company called Brilliant Entertain- 
ment, while the company’s privacy policy ran over 4,000 words, 
which explains why most consumers simply clicked on the “I agree” 
button. 

The concern surrounding these types of abuse led to the require- 
ment in previous bills, on Senator Wyden’s and my bill before, and 
S. 2201, that Privacy policies must be clear, and they must be con- 
spicuous. 

I look forward to working with the Chairman and my colleagues 
on the Committee on this critical issue. I also look forward to the 
testimony today, and I appreciate it, and thank the witnesses for 
coming today, and I thank the Chairman. 

The Chairman. Thank you. Senator Allen. 

STATEMENT OF HON. GEORGE ALLEN, 

U.S. SENATOR FROM VIRGINIA 

Senator Allen. Thank you, Mr. Chairman, for holding this hear- 
ing. I have read and look forward to working with our witnesses, 
and thank you all for being here. 

I think we all can agree that individual people have a significant 
interest in personal information and an interest in determining 
how that information is used. Now, throughout this debate, Mr. 
Chairman, and for those who are in the Committee room here, I 
have been guided by two principles. 

First, I think we ought to empower individual consumers to 
make sure that they have the information necessary to make a rea- 
sonable decision and choice on their own. Second, I think we need 
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to encourage to the greatest extent possible market-driven regula- 
tion. Many of those market forces already exist. 

Now, I want to associate myself, Mr. Chairman, with the senti- 
ments expressed by Senator McCain, and I will not repeat many 
of the points he made, but I do want to touch on them. In this re- 
gard, I have concerns that this Committee may be proceeding with 
legislation prematurely that is unnecessarily burdensome and dis- 
criminatory to the online world. I do not think we should discrimi- 
nate in the treatment of personally identifiable information with 
regard to the medium through which the information is collected. 
Why should a consumer’s privacy concern regarding information- 
sharing only accommodate or apply to those consumers who have 
access to the Internet? 

Second, and further, there are at least 23 current Federal laws 
addressing information-sharing and privacy rights. I understand 
that consumers have specific and legitimate concerns about his or 
her health and financial information privacy. In addition, whether 
online or offline, the Gramm-Leach-Bliley Act of 1999, and the 
Health Insurance Portability and Accountability Act of 1996 al- 
ready address many of those specific concerns. I would encourage 
enforcement of our existing laws before we attempt to craft new 
laws. 

Third, the Progress and Freedom Foundation released a report 
on online privacy, a report on the information practices and policies 
of commercial web sites. Some of the more interesting findings 
were that commercial web sites are collecting less personally iden- 
tifiable information than they were 2 years ago. They also pointed 
out that fewer web sites are using third party cookies to track web 
surfing behavior. 

Of the most popular web sites, showing the reaction of the pri- 
vate sector, the sites that receive the most traffic, the use of third 
party cookies fell from 78 percent to 48 percent, and also the pri- 
vacy notices — and Senator Burns noted this — are more prevalent 
and more prominent and more complete. 

Ninety-nine percent of the 85 busiest web sites have privacy poli- 
cies that are more comprehensive, in other words, stating how they 
handle the consumer information, and more accessible from the 
site’s front page. 

Now, the one rational jurisdictional reason for this legislation 
and one that I, too, support, and I think is the most important 
part, has to do with the jurisdiction, the Federal jurisdiction in 
this, in that it does deal with interstate commerce. The reason the 
Senate should consider any privacy legislation is to establish a uni- 
form national standard. To have a patchwork of liabilities and 
rules governed by the States would make it extremely difficult for 
any business to comply with 50 potentially conflicting privacy laws 
and regulations, thus arguably affecting interstate commerce. 

I do want to get into some of the details of how much — and we 
do need to have a strong preemption. Some States, Mr. Chairman, 
and others are considering enacting privacy laws under the 
Gramm-Leach-Bliley Act and the Health Insurance Portability and 
Accountability Act, and how will these privacy laws be preempted 
under this legislation, and if we enact a new law I think we ought 
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to make certain that the strongest, most effective preemption lan- 
guage is included. 

I would finally say that the treatment in here of affiliated compa- 
nies as third parties can be seriously troublesome to diversified 
companies with diversified corporate structures. Many companies 
consist of dozens of different corporate structures, all of which may 
share a common customer data base. If a user’s consent is required 
to share personally sensitive, personally identifiable information, 
even amongst controlled and affiliated subsidiaries, then many 
larger companies are going to be automatically potentially out of 
compliance, and just by the very nature of how data management 
infrastructures are built. 

So I look forward to working to the extent we can, and I hope 
we can in a bipartisan fashion with our Committee Members in an 
approach that informs and empowers individual choice, but also 
trust the private sector to continue its good work in the market, 
and I believe that that approach means that we ought to move very 
cautiously. 

I would finally state, Mr. Chairman, let us not create any more 
government-imposed restrictions that create more problems than 
they solve. 

Thank you, Mr. Chairman. 

The Chairman. Thank you. Senator Wyden. 

STATEMENT OF HON. RON WYDEN, 

U.S. SENATOR FROM OREGON 

Senator Wyden. Thank you, Mr. Chairman. I want to start, Mr. 
Chairman, by commending you, because I think a lot of progress 
has been made in the last year on this issue. As all of us will recall 
a year ago, this Committee was to a great extent deadlocked over 
some arcane matters, particularly this opt-out and opt-in issue. 
You have produced a hybrid kind of approach that I think makes 
a lot of sense, and I am planning to work very closely with you in 
the days ahead so that we can report this legislation. 

There is an important challenge today, because I do not think 
this country can afford an EXXON VALDEZ of privacy. We have 
already seen some very serious problems. It was not very long ago 
when the Eli Lilly Company unintentionally disseminated the e- 
mail addresses of more than 600 people taking Prozac, and I would 
just say, particularly to people in industry, if there is an EXXON 
VALDEZ of privacy, it will not be possible to get the kind of pre- 
emption protection that is envisaged in this legislation. 

If there are those kinds of calamitous events, every State in this 
country is going to go off and essentially do their own thing, and 
at that point the horse will be out of the barn, and it will not be 
possible to get preemption protection, as many in industry are 
seeking. 

Now, there are a number of concerns that I have at this point. 
I do want to make sure that with respect to the notice provision 
that there is a short, understandable notice provision, something 
that consumers can become familiar with in the years ahead. 

I also think it is important to explore ideas for safe harbor provi- 
sions so that the many companies in this country that are acting 
responsibly will have a clear path of certainty and safety under the 
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legislation that Congress may pass, but there is no question in my 
mind important progress has been made in the last year, and I look 
forward to working with you, Mr. Chairman and Senator McCain 
and others to report this legislation. 

The Chairman. Thank you. Senator Stevens. 

STATEMENT OF HON. TED STEVENS, 

U.S. SENATOR FROM ALASKA 

Senator Stevens. Thanks very much, Mr. Chairman. I do not 
have a written statement, but I would say that I agree with Sen- 
ator McCain about the offline concept, and I think we probably 
should be willing, those of us who sponsor this legislation, to listen 
to some of those concerns. 

Also, I have some concerns that I have expressed to you about 
the right of private action, and I think there ought to be some limi- 
tation on that. We ought to rely on the agencies first and then rely 
on private action only when it is necessary to raise the issues in 
the courts. 

And Senator McCain, I do not know if you know it, some of the 
commissioners sent us copies of the letters they wrote back to you, 
others did not. If you would share all of them with us, I think it 
would be good for the record to know what the commissioners are 
thinking about this. I do think, as Senator Allen said, we have a 
job to do now, and it is time that we got this done, and I think we 
should not be afraid of broadening this legislation. 

Thank you very much. 

The Chairman. Very good. Senator Cleland. 

Senator McCain. Mr. Chairman, I would ask the letters be in- 
cluded in the record. 

The Chairman. Those letters will be included. 

[The information referred to follows:] 

Federal Trade Commission 
Washington, DC, April 24, 2002 

Hon. John McCain, 

Ranking Member, 

Committee on Commerce, Science, and Transportation, 

Washington, DC. 

Dear Senator McCain: 

Thank you for your letter of April 19, 2002, requesting my views on S. 2201, the 
Online Personal Privacy Act. 

Personal privacy issues are a key priority at the Commission. Because a variety 
of practices can have negative consequences, consumer concerns about privacy are 
strong and justified. Avoiding these consequences requires a strong law enforcement 
presence, and we have increased by 50 percent FTC resources targeted to address- 
ing privacy problems. Our agenda includes: 

• A proposed rulemaking to establish a national, do not call registry; 

• Greater efforts to enforce both online and offline privacy promises; 

• Beefed up enforcement against deceptive spam; 

• A new emphasis on assuring information security; 

• Putting a stop to pretexting; 

• Increased enforcement of the Children’s Online Privacy Protection Act; and 

• New initiatives to both help victims of I.D. theft and assist criminal prosecution 
of this crime. 

The concerns about privacy that motivate our enforcement agenda have led oth- 
ers, including many members of Congress, to propose new laws, such as S. 2201, 
the Online Personal Privacy Act. There are potential benefits from general privacy 
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legislation. If such legislation could establish a clear set of workable rules about how 
personal information is used, then it might increase consumer confidence in the 
Internet. Moreover, federal legislation could help ensure consistent regulation of pri- 
vacy practices across the 50 states. Although we should consider carefully alter- 
native methods to protect consumer privacy and to reduce the potential for misuse 
of consumers’ information, enactment of this type of general legislation is currently 
unwarranted. 1 

Five points underscore my concern about general, online privacy legislation: 

1 . Drafting workable legislative and regulatory standards is extraordinarily difficult. 

The recently-enacted Gramm-Leach-Bliley Act (“GLB”), which applies only to fi- 
nancial institutions, required the multiple mailings of over a billion privacy notices 
to consumers with little current evidence of benefit. 2 Our experience with GLB pri- 
vacy notices should give one great pause about whether we know enough to imple- 
ment effectively broad-based legislation, even if it was limited to notices. 

Unlike GLB, the proposed legislation deals with a wide variety of very different 
businesses, ranging from the websites of local retailers whose sales cross state lines 
to the largest Internet service providers in the world. Thus, implementation of its 
notice requirement will likely be even more complicated. 

Moreover, the legislation adds requirements for access not found in GLB. The rec- 
ommendations of the FTC’s Advisory Committee on Online Access and Security 
make clear that no consensus exists about how to implement this principle on a 
broad scale. 3 Perhaps reflecting these same concerns, S. 2201 grants the FTC broad 
rulemaking authority. The only legislative guidance is the requirement that the pro- 
cedures be reasonable. The statute is silent, for example, on how to balance the ben- 
efits of convenient customer access to their information with the inherent risks to 
security that greater access would create. The FTC has no answer to this conun- 
drum. We do not know how to draft a workable rule to assure that consumers’ pri- 
vacy is not put at risk through unauthorized access. 

The inherent complexity of general privacy legislation raises many difficulties 
even with provisions that are conceptually attractive in the abstract. For example, 
the proposed legislation imposes different requirements on businesses based on 
whether they collect “sensitive” or “nonsensitive” personal information. Although 
this may be a conceptually sound approach, we have no practical experience in im- 
plementing it, and attempting to draw such distinctions appears fraught with dif- 
ficulty, both in drafting regulations and assuring business compliance. Under the 
statute, for example, the fact that I am a Republican is considered sensitive, but 
a list of books I buy and websites I visit are not. 

Similarly, the broad state preemption provision would provide highly desirable na- 
tional uniformity. Questions about the scope of preemption would inevitably arise, 
however. How would the preemption provision affect, for example, state laws on the 
confidentiality of attorney/client communications for attorneys using websites to in- 
crease their efficiency in dealing with their clients? Moreover, what are the implica- 
tions for state common law invasion of privacy torts when the invasion of privacy 
occurs online? 

Another problem is that, except for provisions reconciling the provisions of this 
bill with the provisions of the Children’s Online Privacy Protection Act and certain 
provisions of the Federal Communications Act, there are no provisions reconciling 
the proposed legislation with other important Federal privacy legislation. For exam- 
ple, it is unclear how S. 2201’s requirement of notice and “opt-in” choice for disclo- 
sure of financial information collected online would be reconciled with GLB’s notice 
and “opt-out” requirements for the same information. Nor is it clear whether a cred- 
it reporting agency’s use of a website to facilitate communications with its cus- 
tomers would subject it to a separate set of notice, access, and security require- 
ments, beyond those already in the Fair Credit Reporting Act. 

I want to emphasize that I note these examples, not to criticize the drafting of 
the proposed legislation, but to illustrate the inherent complexity of what it is trying 
to accomplish. 


1 There may be areas in which new legislation is appropriate to address a specific privacy 
issue. This letter addresses my concerns about broad, general legislation governing online pri- 
vacy issues. 

2 1 am unaware of any evidence that the passage of GLB increased consumer confidence in 
the privacy of their financial information. In contrast to GLB’s notice requirements, certain GLB 
provisions targeting specific practices have directly aided consumer privacy. For example, the 
law prohibits financial institutions from selling lists of account numbers for marketing purposes, 
and makes it illegal for third parties to use false statements (“pretexting”) to obtain customer 
information from financial institutions in most instances. 

3 The Committee’s Final Report is available at www.ftc.gov/acoas/papers/finalreport.htm. 
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2. The legislation would have a disparate impact on the online industry. 

Second, I am concerned about limiting general privacy legislation to online prac- 
tices. Whatever the potential of the Internet, most observers recognize that informa- 
tion collection today is also widespread offline. Legislation subjecting one set of com- 
petitors to different rules, simply based on the medium used to collect the informa- 
tion, appears discriminatory. Indeed the sources of information that lead to our 
number one privacy complaint — ID Theft — are frequently offline. Of course, applying 
the legislation offline would increase the complexity of implementation, again under- 
scoring the difficulties inherent in general privacy legislation. 

3. We have insufficient information about costs and benefits. 

Third, although we know consumers value their privacy, we know little about the 
cost of online privacy legislation to consumers or the online industry. Again, the ex- 
perience under GLB indicates that the costs of notice alone can be substantial. 
Under S. 2201, these costs may be increased by the greater number of businesses 
that must comply, by uncertainty over which set of consent procedures apply, and 
by the difficulty of implementing access and security provisions. 

4. Rapid evolution of online industry and privacy programs is continuing. 

Fourth, the online industry is continuing to evolve rapidly. Recent surveys show 
continued progress in providing privacy protection to consumers. 4 Almost all (93 
percent) of the most popular websites provide consumers with notice and choice re- 
garding sharing of information with third parties. Some of the practices of most con- 
cern to consumers, such as the use of third party cookies, have declined sharply. 
Moreover fewer businesses are collecting information beyond email addresses. These 
changes demonstrate and reflect the more important form of choice: the decision 
consumers make in the marketplace regarding which businesses they will patronize. 
Those choices will drive businesses to adopt the privacy practices that consumers 
desire. 

Perhaps most important for the future of online privacy protection, 23 percent of 
the most popular sites have already implemented the Platform for Privacy Pref- 
erences (P3P). This technology promises to alter the landscape for privacy disclo- 
sures substantially. Microsoft has incorporated one implementation of P3P in its 
web browser; AT&T is testing another, broader implementation of this technology. 
By the time the Act’s disclosure regulations might reasonably take effect, 5 the tech- 
nological possibilities for widespread disclosure may differ substantially. Although 

5. 2201 anticipates this development by requiring the National Institute of Stand- 
ards to promote the development of P3P technology, legislation enacted now cannot 
take advantage of such nascent technology. Moreover, it may inadvertently reduce 
the incentives for businesses and consumers to adopt this technology if disclosures 
are required using other approaches. 

5. Diversion of resources from ongoing law enforcement and compliance activities. 

Finally, there is a great deal the FTC and others can do under existing laws to 
protect consumer privacy. Indeed, since 1996, five new laws have had a substantial 
impact on privacy-related issues. 6 We should gain experience in implementing and 
enforcing these new laws before passing general legislation. Implementation of yet 
another new law will require both industry and government to focus their efforts 
on a myriad of new implementation and compliance issues, thus displacing re- 
sources that might otherwise improve existing privacy protection programs and en- 
force existing laws. Simply shifting more resources to privacy related matters will 
not, at least in the short term, correct this problem. The newly-assigned staff would 
need to develop the background necessary to deal with these often complex issues. 
The same is likely true for business compliance with a new law. Without more expe- 
rience, we should opt for the certain benefits of implementing our aggressive agenda 
to protect consumer privacy, rather than the very significant effort of implementing 
new general legislation. 


4 The Progress and Freedom Foundation recently released the results of its 2001 Privacy Sur- 
vey, available at www.pff.org / pr / pr032702privacyonline.htm. 

5 Again, GLB is instructive. It was almost two years between the enactment of the statute 
and the effective date of the privacy rules promulgated thereunder. 

6 Fair Credit Reporting Act, 15 U.S.C. § 1681 (amended 9/30/96); Health Insurance Portability 
and Accountability Act, 42 U.S.C. § 1320 (enacted 8/21/98); Children’s Online Privacy Protection 
Act, 15 U.S.C. §6501 (enacted 10/21/98); ID Theft Assumption & Deterrence Act, 18 U.S.C. 
§1028 (enacted 10/30/98); GLB, 15 U.S.C. §6801 (enacted 11/12/99). Moreover, since 1996, the 
FTC has been applying its own statute to protect privacy. 
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Conclusion 

We share the desire to provide American consumers better privacy protection and 
to ensure that American businesses face consistent state and Federal standards 
when handling consumer information. Nonetheless, we believe that enactment of 
this general online privacy legislation is premature at this time. We can better pro- 
tect privacy by continuing aggressive enforcement of our current laws. 

Sincerely, 

Timothy J. Muris 

Chairman 


Federal Trade Commission 
Washington, DC, April 24, 2002 

Hon. John McCain, 

Ranking Member, 

Committee on Commerce, Science, and Transportation, 

Washington, DC. 

Re: S. 2201 (The Online Personal Privacy Act) 

Dear Senator McCain: 

I am pleased to provide my views on S. 2201, the Online Personal Privacy Act, 
which was introduced by Chairman Hollings on April 18, 2002. Although I share 
the view of the sponsors of this legislation that privacy is important to American 
consumers, there has been no market failure that would justify the passage of legis- 
lation regulating privacy practices concerning most types of information. Even if 
such a market failure exists, I am not persuaded that the benefits of such legisla- 
tion, including the proposed Online Personal Privacy Act, exceed its costs. 

Indeed, the best means of protecting consumer privacy without unduly burdening 
the New Economy is through a combination of industry self-regulation and aggres- 
sive enforcement of existing laws that are relevant to privacy by the FTC and other 
appropriate regulatory agencies. This approach is flexible enough to respond rapidly 
to technological change and to the tremendous insight we are gaining from the ongo- 
ing dialogue among government, industry, and consumers on privacy issues. 

You have asked for my assessment of whether legislation is needed. I believe leg- 
islation should be reserved for problems that the market cannot fix on its own. To 
my knowledge, there is no evidence of a market failure with respect to online pri- 
vacy practices, nor are there signs of impending market failure that would warrant 
burdensome legislation. As a result of a continuing and energetic dialogue among 
industry, government and consumer representatives, industry is stepping up to the 
plate and leading the way toward enhancing consumer privacy online. Flexible and 
efficient privacy tools are increasingly addressing consumer concerns. Indeed, the 
evidence indicates that the market is responding to consumers’ concerns and de- 
mands about privacy. 

A recent Progress and Freedom Foundation study 1 tells us that there has been 
a significant decline in the amount of personal information that websites are col- 
lecting from visitors. 2 At the same time, there has been an increase in the voluntary 
adoption of privacy practices. The study indicates that privacy policies have become 
more common and more consumer-friendly over the past year. In addition, the per- 
centage of the most popular sites offering consumers a choice whether their informa- 
tion can be shared with third parties increased from 77% in 2000 to 93% in 2001. 
The privacy-enabling technology, Platform for Privacy Preferences (P3P), is being 
deployed rapidly, and industry has generally become more responsive to the privacy 
concerns of consumers. 

These trends clearly demonstrate that the online marketplace is dynamic, and 
that firms are working hard to find the “right” pattern for information management 
practices. In addition, the survey results show that the most frequently visited 
websites (and much of the Internet as a whole) have clearly recognized that infor- 
mation management policies and privacy practices are necessary parts of everyday 
business on the Internet. Consumers expect privacy protection and firms realize 


1 Adkinson, William F. Jr., Jeffrey A. Eisenach, Thomas M. Lenard, Privacy Online: A Report 
on the Information Practices and Policies of Commercial Web Sites. Washington, D.C.: Progress 
& Freedom Foundation (2002). Available at: http:! / www.pff.org / publications / 
privacyonlinefinalael.pdf 

2 Among the most popular 100 sites, the proportion collecting personal information fell from 
96% in 2000 to 84% in 2001. Similar to this finding, the proportion of those firms employing 
“cookies” fell from 78% to 48% in the past year. 
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that it is to their competitive advantage to respond to customer expectations. To the 
extent that consumers have demanded privacy, these results show that the market 
has provided it. 

Contrary to arguments by proponents of legislation that consumers’ privacy con- 
cerns are retarding the growth of electronic commerce, electronic commerce is grow- 
ing rapidly without new privacy legislation. Online transactions have roughly dou- 
bled each year between 1997 and 1999, and annual consumer purchases have risen 
from roughly $5 billion in 1998 to $32 billion in 2001. Recent data on online holiday 
shopping are even more dramatic, rising from roughly $1 billion in 1997 to nearly 
$14 billion in 2001 — a 1300% increase. E-commerce thus is growing rapidly in the 
absence of new privacy regulation. 3 

For many years now, it has been my understanding that Congress seeks to weigh 
the costs and benefits of new legislation, with the goal of avoiding doing more harm 
than good. To my knowledge, there is no evidence concerning the costs associated 
with the proposed legislation, nor an assessment of whether those costs are out- 
weighed by the ill-defined economic benefits that might follow. I do not believe legis- 
lation should be adopted without careful consideration of the problems it may cre- 
ate. 

Perhaps the most glaring cost associated with the bill, and with any online-spe- 
cific privacy legislation, is that it discriminates in favor of offline commerce. It is 
important to remember that electronic commerce currently constitutes a very small 
portion of all commercial activity. It is difficult to understand drawing a distinction 
between offline and online privacy. I would suggest that it is likely that consumers 
share similar concerns in both situations. I believe it is essential to consider the 
costs and benefits of regulating both online and offline privacy before any legislation 
is enacted. 

To evaluate other costs associated with the notice and choice requirements of the 
Online Personal Privacy Act, the Commission’s experience with the Gramm-Leach- 
Bliley Act (GLB Act) is instructive. The GLB Act requires that financial institutions 
issue privacy notices to their customers and, in certain circumstances, provide them 
with the opportunity to opt out of disclosures of nonpublic personal information to 
nonaffiliated third parties. To comply with the GLB Act last year, firms incurred 
great expense in disseminating privacy notices, yet very few consumers opted out. 
Among the difficulties encountered in complying with the GLB Act was the chal- 
lenge of communicating complex information to consumers. Industry would face 
these same challenges in communicating notice and choice in the online context, and 
a requirement to provide “robust” notice to consumers does little to solve these prob- 
lems. It also would be difficult for static regulation to keep pace with technology. 
For example, regulation mandating notice provided on a website may be inappli- 
cable to Web-enabled handheld devices, such as cell phones. 

A requirement to provide “reasonable access and security” is difficult to define. 
In its May 2000 report, the Commission’s Advisory Committee on Online Access and 
Security was unable to reach consensus as to the amount and type of access that 
should be provided to consumers. 4 Given the complexity of this issue, I do not be- 
lieve that it is a suitable topic for broad-based legislation or regulation. More impor- 
tant, the Commission already has the ability to address security breaches through 
the enforcement of existing statutes. 5 

In addition, I am not aware of reliable information about the likely costs associ- 
ated with providing access and, in particular, the costs of maintaining a clickstream 
database that could be easily accessible to consumers and easily altered. 6 I there- 


3 It is interesting to compare the growth of electronic commerce to the growth in the use of 
debit cards. Between 1988 and 1996, debit transactions slowly rose from virtually nothing to 
less than $50 billion annually. As consumers’ experience with these cards increased, however, 
debit card spending jumped to $300 billion in 2000. This massive growth in debit card trans- 
actions was not caused by federal regulatory action, but resulted from consumers’ positive expe- 
riences with the cards. 

4 In 1999, the Commission established an Advisory Committee on Online Access and Security 
to provide advice and recommendations to the Commission regarding implementation of reason- 
able access and adequate security by domestic commercial websites. The Committee’s final re- 
port to the Commission on May 15, 2000, described options for implementing reasonable access 
to, and adequate security for, personal information collected online and the advantages and dis- 
advantages of each option. 

5 See In the Matter of Eli Lilly and Co., FTC File No. 012 3214 (consent agreement accepted, 
Jan. 17, 2002) (alleging that Eli Lilly unintentionally disclosed personal information collected 
from consumers by not taking appropriate steps to protect the confidentiality and security of 
that information). 

6 Under the proposed legislation, clickstream data, as collected by third-party cookies, are con- 
sidered to be personally identifiable information to which consumers should have access. 
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fore question whether the $3.00 fee allowed by S. 2201 for consumers to obtain ac- 
cess to their information would be sufficient to cover the expense. Although some 
firms — obviously the larger ones — might be able to absorb the costs associated with 
this access mandate, other firms might be unable to provide the service for a mini- 
mal fee and would be unable to continue business with their current model. This 
possibility seems terribly unfair to small business and harmful to competition in 
electronic commerce. 

Finally, in an attempt to empower consumers, this legislation gives them a pri- 
vate right of action. While this measure is aimed at increasing compliance with the 
law, I fear that a private right of action may result in unintended consequences. 
More specifically, increased private litigation over information management policies 
may chill further innovation on the part of businesses that may fear that any 
change in their information management practices will be met with lawsuits. 

In summary, the electronic marketplace is still evolving. Industry and government 
have been working diligently to address consumers’ privacy concerns. Businesses 
have made admirable progress over the past several years and have no intention 
of standing down. Industry leaders are directly involved in seeking solutions to meet 
consumer demands and concerns. From a business standpoint, it just makes good 
sense. Now is not the time for the federal government to legislate and effectively 
halt progress on these self-regulatory efforts. New, complicated, and ambiguous laws 
will force innovation and investment to take a back seat to compliance and bureau- 
cratic process. At the end of the day, we will have made far less progress in finding 
solutions to privacy concerns than we would have if we had simply relied on govern- 
ment and private sector cooperation and market forces. 

Thank you for the opportunity to offer my views on these issues. I look forward 
to working with you in the future. 

Sincerely, 


Orson Swindle, 

Commissioner 


Federal Trade Commission 
Washington, DC, April 24, 2002 

Hon. John McCain, 

Ranking Member, 

Committee on Commerce, Science, and Transportation, 

Washington, DC. 

Re: S. 2201 (The Online Personal Privacy Act) 

Dear Senator McCain: 

In anticipation of the Senate Commerce Committee’s April 25, 2002 hearing on 
S. 2201, the Online Personal Privacy Act (“OPPA”), you have asked each Commis- 
sioner of the Federal Trade Commission to comment on whether legislation is need- 
ed and, if so, what such legislation should contain. As you know, the FTC has long 
been involved with the issue of consumer privacy and I have also personally devoted 
a great deal of time and thought to this matter. Accordingly, I appreciate the oppor- 
tunity to offer my views about privacy legislation and comment on the principal fea- 
tures of the OPPA. 

In the past, a particular area of focus for me has been the question of whether 
federal legislation is necessary. In the Commission’s May 2000 Congressional Re- 
port, “Privacy Online: Fair Information Practices in the Electronic Marketplace,” a 
majority of the FTC recommended that Congress enact online privacy legislation. In 
my accompanying statement and written testimony, I expressed my support for 
thoughtful and balanced online privacy legislation that is coupled with meaningful 
self-regulation and enforcement of existing laws. 1 

I also stated that such privacy legislation should incorporate the well-established 
fair information practice principles of notice, choice, access and security and should 
provide for federal preemption of inconsistent state laws. Further, legislation should 
be organic and sufficiently flexible to take into account the type and sensitivity of 
the data at issue. 


1 This position represented a change from my prior opinion which did not support legislation 
but, instead, called for industry self-regulatory measures. Compare Statement of Commissioner 
Mozelle W. Thompson Before Senate Comm. On Commerce, Science and Transp. (May 25, 2000), 
with Statement of Commissioner Mozelle W. Thompson Before Senate Comm. On Commerce, 
Science and Transp. (July 13, 1999). 
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My conclusion has not changed and, as discussed below, I believe that today’s 
market conditions make an even more compelling case for legislation. Moreover, I 
support the OPPA because it contains the above described elements and represents 
a thoughtful, balanced and well-reasoned approach to the privacy issue. 

On-line Privacy Legislation Is Needed 

Consumer confidence is one of the most important features of American economic 
strength and, as demonstrated by recent declines in dot-com industries, emerging 
markets and young industries are particularly vulnerable to consumer uncertainty. 
It is not surprising then, that those industries involved in the developing electronic 
marketplace, or “e-commerce,” have begun to direct greater attention and more re- 
sources to strategies that address consumer confidence. Members of this industry 
are asking what is needed to allow e-commerce to reach its potential and fully de- 
velop into a stable and robust market? One answer is data privacy. 

Studies continue to indicate that consumers’ foremost concern with respect to e- 
commerce is the privacy of their personal data. Indeed, last year Forrester Research 
estimated that consumers’ online privacy concerns cost $15 billion of potential e- 
commerce revenue. Also, 73% of online consumers who refused to purchase online 
did so because of privacy concerns. Moreover, one need only compare the stock 
prices of those companies engaged in online profiling, before and after settling com- 
plaints about their business practices, to find a clear example of the value to con- 
sumers of certainty and confidence in a new market. 

To date, the FTC has provided a strong privacy foundation by way of the agency’s 
law enforcement regime combined with our efforts in promoting industry self-regula- 
tion. Although consumers and businesses involved in e-commerce have benefitted 
from these efforts, they are no longer sufficient because there are still online compa- 
nies that fail to protect consumer information. Without a legislative backdrop, too 
much of the risk of e-commerce is shifted to the consumer at a time when consumer 
confidence is critical. Law enforcement measures are by their nature retroactive, fo- 
cusing on events that have already occurred. Once a consumer has lost his or her 
privacy — be it through identity theft, the creation of an unauthorized profile based 
upon the consumer’s online activities or by some other means — it is generally impos- 
sible to make that consumer whole again. 

This condition is made more serious because the Internet allows instantaneous, 
inexpensive and unlimited transmission of data while computer databases permit 
storage and unprecedented manipulation. Moreover, it is difficult for the consumer 
to even know that his or her privacy has been violated until, in some cases, years 
after the fact. 2 Consequently, without legislation, e-commerce will remain an uncer- 
tain marketplace in which only those consumers on the fringe will participate. 

The absence of legislation also forces the Commission into the unusual position 
of going after the good actors that have strong privacy policies, while the bad re- 
main largely unreachable by agencies like the FTC, thus leaving these businesses 
free to violate consumer trust. Without the type of legislative backdrop that the 
Commission called for in 2000, and which OPPA provides, I am afraid there will 
continue to be many free riders and companies with inadequate information prac- 
tices. 

Necessary Elements For Effective Privacy Legislation 

I believe that the OPPA addresses many of the most delicate problems associated 
with a legislative privacy framework. First, it contains the fair information prin- 
ciples and allows for flexibility and change. The OPPA avoids a “one size fits all” 
approach to the notice requirements and provides a reasonableness test for access. 
The OPPA is also more reflective of a “real world” consumer environment because 
it employs a sliding scale that affords more protection to more sensitive information. 

Second, by preempting state law, the OPPA will prevent the possibility of multiple 
standards that could “Balkanize” e-commerce and prove overly burdensome to busi- 
ness and too confusing for consumers. Finally, in granting the FTC rulemaking au- 
thority, the OPPA will permit strong enforcement, with special sensitivity to indus- 
try and consumer needs, while also providing a means for state participation. 

Thank you again for providing me with this opportunity to discuss privacy legisla- 
tion and the OPPA. I also hope that you will continue to consider the FTC a re- 
source as your work progresses on this important issue. 

Sincerely yours, 


2 These features, coupled with technology that allows websites to surreptitiously collect con- 
sumer information, distinguish the online consumer environment from the offline world. 
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Mozelle W. Thompson, 

Commissioner 


Federal Trade Commission 
Washington, DC, April 24, 2002 

Hon. John McCain, 

Ranking Member, 

Committee on Commerce, Science, and Transportation, 

Washington, DC. 

Dear Senator McCain: 

Thank you for your letter of April 19, 2002 asking me to comment on Chairman 
Hollings Senate Bill 2201, “The Online Personal Privacy Act.” Your letter asked two 
questions: First, whether I believe legislation is needed, and if so, what it should 
contain. Second, you asked for my comments on the principal features of S. 2201. 

I. Is legislation needed? 

Yes, legislation is needed to protect consumers’ privacy. Absent federal standards 
to be followed by all persons and entities that collect private information, it is un- 
likely that consumers will be adequately protected from identity theft, commercial 
harassment, and hucksterism. In addition, dissatisfaction with and mistrust of on- 
line business practices by the American people will continue to grow; an uneven 
patchwork of state laws will proliferate; and consumer confidence in e-commerce will 
be undermined. 

Industry has not been able or willing to effectively self-regulate. While some re- 
sponsible companies have stepped up to the plate, the financial incentives work 
against a universal commitment by e-business to provide effective privacy protection 
for consumers. Business interests will undoubtedly point to a recent Progress and 
Freedom Foundation survey as evidence that federal legislation is not necessary be- 
cause websites are collecting less personally identifiable information and privacy no- 
tices are prevalent, more prominent, and more complete. These arguments com- 
pletely miss the mark. First, the survey reveals that nearly all sites surveyed con- 
tinue to collect personally identifiable information. 1 Second, the mere posting of a 
privacy policy does not ensure effective consumer protection and often is only pretty 
packaging of empty content. 

Just any legislation is not enough. In my view, strong privacy legislation should: 

• preempt inconsistent or weaker state law; 

• incorporate effective notice and choice, adequate access, reasonable security, 
and strong enforcement remedies; 

• be free from exceptions created for special interests or industries; 

• require affirmative consumer consent before sensitive personally identifiable in- 
formation is collected through any means either online or offline; and 

• avoid tactics that unduly delay the effective date of the Act. 

II. Senate Bill 2201 

Senate Bill 2201 provides long-awaited, strong protection measures for consumers 
in the online world. My only concern with this proposed legislation is its limited 
reach. In my view, federal legislation is necessary to protect the privacy of person- 
ally identifiable consumer information in the offline as well as online commercial 
realms. These marketplaces are often intertwined and indistinguishable. In fact, I 
believe that the wired world facilitates the effective, constant aggregation of endless 
varieties of real-time “surfer” information and combines it with commercial informa- 
tion gathered through traditional “offline” means. I would strongly support the ex- 
pansion of this Bill’s consumer protections to the “offline” collection of personally 
identifiable consumer information. 

That said, Senate Bill 2201 is a balanced, comprehensive approach to protecting 
consumer privacy online. By incorporating the concepts of notice, choice, access, se- 
curity, and enforcement, it creates a level playing field for both consumers and in- 
dustry. However, I offer the following comments: 


1 The survey indicated that 90 percent of the random sample, and 96 percent of the most pop- 
ular sites, collect personally identifiable information compared with 97 percent and 99 percent 
in 2000. This is hardly a statistically significant decline. In fact, an April 11, 2002, New York 
Times article (attached) chronicled how some of the Internet’s most frequently visited sites are 
expanding their collection and commercial use of personally identifiable information. 
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Preemption 

I believe that federal legislation should preempt inconsistent and weaker state 
privacy laws which do not effectively protect consumers and tend to frustrate the 
development of e-commerce. On the other hand, I generally support the power of 
states to enact legislation that offers their citizens stronger consumer protections 
than federal law where the federal law merely establishes a “floor” of minimum pro- 
tection standards. However, if passage of a federal law “with teeth,” is feasible, I 
believe that both consumers and industry would value the uniformity and predict- 
ability that federal preemption offers. 

Title I — Online Privacy Protection 
Section 101 

I applaud Title I’s coverage of personally identifiable information that is collected, 
used or disclosed. Previous bills focused only on the “collection” of information, yet 
many privacy breaches occur when information is used or disclosed without the con- 
sumer’s knowledge or consent after collection. 

Notice and Consent 

I strongly support the inclusion of Section 102(b) which requires a consumer’s af- 
firmative consent (“opt-in”) before, or at the time that, certain sensitive information 
is collected. An opt-in consent requirement guarantees consumer notice and mean- 
ingful choice, and compels the collector to clarify its practices in order to entice the 
consumer to agree to them. It effectively equalizes the bargaining position of con- 
sumers and e-merchants in the market for personal information. 

While I prefer an opt-in standard for the collection of all personally identifiable 
information, the Bill’s requirement of robust notice and opt-out consent for nonsen- 
sitive personally identifiable information improves on the level of notice and choice 
currently provided by many websites. Also, I support the permanence of consent 
provision found in Section 102(e), which essentially provides that a consumer’s pri- 
vacy preferences stay with the user despite corporate changes. 

Section 103’s requirement that changes in privacy policies or the existence of pri- 
vacy breaches be communicated to consumers is particularly commendable. Many 
websites place the privacy protection burden on consumers to keep track of changes 
in a website’s privacy policy. Section 103 appropriately places that responsibility on 
the internet service provider, online service provider, or operator of a commercial 
website. Likewise, the Bill’s provision requiring user notification of material changes 
in the privacy policy allows consumers to utilize updated, relevant information when 
deciding how or whether to protect their own personal information. Section 103 il- 
lustrates the balanced approach of this Bill to the extent it acknowledges that there 
may be situations where delayed consumer notifications is appropriate. 

The exceptions contained in Section 104 seem reasonable and again reflect the 
Bill’s inherent respect for the need to balance the vital privacy interests of con- 
sumers with the economic and financial interests of e-business. 

Access 

The access provision of Section 105 appropriately enables consumers to suggest 
corrections or deletions of personally identifiable information that the provider or 
operator has collected or combined with personally identifiable information gathered 
from other sources. The reasonableness test incorporated in this section strikes an 
appropriate balance among the competing interests of consumer privacy, the relative 
sensitivity of different types of personal information, and the burdens and costs im- 
posed on the website operator. 

Security 

The security provision in Section 106 is consistent with the approach taken by the 
Commission in its Gramm-Leach-Bliley Act Security Rulemaking. Rather than dic- 
tate a one-size-fits-all solution, it is up to the website to establish and maintain rea- 
sonable procedures necessary to protect the security, confidentiality, and integrity 
of the data it maintains. 

Title II — Enforcement 

I am impressed with the range of remedies included under this Title, including 
the authority to impose civil penalties and establish redress funds for consumers for 
violations of Title I. In addition, this Title allows private rights of action as well 
as state actions. 

Title III — Application to Congress and Federal Agencies 

To my knowledge, the federal agencies do not trade in private consumer informa- 
tion for commercial purposes. Therefore, I see no justification for Section 302. How- 
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ever, I do believe that federal agencies should provide notice to consumers about 
their information collection practices consistent with applicable federal law. 


Title IV — Miscellaneous 

Section 402 provides that the effective date of the Act will be the day after the 
date the Commission publishes a final rule under Section 403. While I am pleased 
that there is no “grace period” for compliance with this Title, I am disappointed that 
data collectors will be free from liability for data they collected without consumer 
consent before the Act’s effective date. I also hope that Congress will resist obvious 
delaying tactics, such as proposals for additional studies. 


Technical concerns 


Section 403 may need technical modifications to achieve the Bill’s goals. Our staff 
would be pleased to assist you in these efforts. Specifically, Section 403 should re- 
flect that the rulemaking contemplated by the Act is to be conducted pursuant the 
Administrative Procedures Act rather than through a Magnuson Moss Rulemaking. 
I appreciate the opportunity to express my views, and I hope they are helpful. 
Sincerely, 


Sheila F. Anthony, 

Commissioner 


Federal Trade Commission 
Washington, DC, April 24, 2002 

Hon. John McCain, 

Ranking Member, 

Committee on Commerce, Science, and Transportation, 

Washington, DC. 

Dear Senator McCain: 

You have asked that members of the Federal Trade Commission provide their in- 
dividual views on a privacy bill, “The Online Personal Privacy Act,” S. 2201, and 
I am pleased to respond. 

It is important to express a key reservation up front. This statement of my indi- 
vidual views is constrained by my understanding of the context of your request. Like 
any other citizen, I have personal views on fundamental issues in the privacy debate 
(e.g., the question of whether it is appropriate to speak of a “right to privacy” in 
the context of private consensual transactions as opposed to intrusions by govern- 
ment; the balance between any privacy rights of one party and the First Amend- 
ment rights of another; and the question of whether it is realistic to expect that 
most barriers to disclosure will prove effective in the long term). However, there is 
no reason why you or any other lawmaker should be particularly interested in my 
opinions about these value-laden issues, so I understand that you are asking for my 
views in the context of the responsibilities and capabilities of the Federal Trade 
Commission. In other words, this response is constrained by an appreciation of the 
limitations of our institutional expertise. 1 

To be blunt, I do not believe it is my place to advise Congress on the bottom line 
issue of whether it is or is not a good idea to legislate on privacy issues. (To the 
extent I presumed to do so in the past, I have changed my mind.) The Federal Trade 
Commission, in my view, functions best as a facilitator, which attempts through law 
enforcement and education 2 to ensure that consumers are not misinformed about 
the goods and services that they buy and that sellers are not disabled by illegal pri- 
vate constraints. But, in the absence of Congressional direction to the contrary, we 
are neutral about the terms of sale that are freely determined. We have strong insti- 
tutional confidence in the ability of adequately informed consumers to make their 
own choices about what they want (including, presumably, varying levels of privacy 
protection) without interference from government. We are good at specifying what 
is adequate disclosure of the terms of sale but we are not good at devising rules 
for what the terms of sale should be. 

With this awareness of our limitations, I join with those colleagues who express 
serious reservations about the “Online Personal Privacy Act,” S. 2201. I generally 
concur in their conclusions, but write separately to emphasize my particular per- 
spective. I simply do not believe that S. 2201 can be enforced in a coherent way. 
The following is a summary list of the reasons: 


1 My previous statements on privacy issues are enclosed with this letter. 

2 The Commission also provides a forum for the exchange of views among outside individuals 
and groups. 
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1. I do not believe it is workable or reasonable to treat privacy differently in 
the online world than in the offline world to the extent that the information col- 
lected is the same, regardless of the site of collection or the means of dissemina- 
tion. It is obvious that different modes of disclosure might be required, but it 
is illogical to regulate one medium and not the other. 

2. Congress may, in its judgment, determine that it is appropriate to mandate 
some form of “notice” to consumers about what will happen to their personal 
information. For one thing, mandated notice would eliminate the present awk- 
ward situation whereby a company that volunteers information about its pri- 
vacy policy 3 risks prosecution if the information is inaccurate, but one that vol- 
unteers nothing risks nothing. 4 Recent experience with mandated notice, how- 
ever, suggests that it is not enough for Congress simply to require that it be 
done. 5 Businesses have to be given more precise guidance about the forms of 
notice that will be useful to consumers. This is something that the Federal 
Trade Commission, as an institution, knows something about. It might be ap- 
propriate to direct the Commission or some other appropriate body to survey 
the quality of notices that are either voluntarily provided or mandated today, 
and then recommend a template for notice that would be meaningful. This 
project would inform the policy debate and ultimately, perhaps, provide the 
framework for legislation. 

3. The issue of “choice” or “consent” is much more complex than the bill seems 
to recognize. At first glance, it seems obvious that the whole purpose of notice 
is to enable consumers to make informed choices. It is necessary, however, to 
think about the consequences of choice. If there is no cost or reduced benefit as- 
sociated with the choice to opt-out (or failure to opt-in), then the added expense 
of accommodating these choices will be borne by consumers less tender of their 
privacy. (No one suggests that people who do not want to use their supermarket 
charge cards because of the information disclosed should be entitled to the dis- 
count anyway.) On the other hand, if privacy-conscious consumers are disadvan- 
taged too much, their only practical “choice” is to seek another provider, and 
mandated “opt-outs” or “opt-ins” become essentially meaningless. There would 
have to be some regulatory regime to determine what is a reasonable in-be- 
tween position in these circumstances, and I have no idea how this could be 
done across-the-board. 

4. Under the bill, further refinements of “access” and “security” would presum- 
ably need to be spelled out in rulemaking proceedings. 6 As I have said before, 
“[i]t is not appropriate to defer all the tough issues for future rule-making.” 7 
I personally believe, for example, that there is a vast disparity between the 
costs and benefits of an access regime in most situations, and I further believe 
that the costs of merely developing and enforcing across-the-board rules would 
also vastly exceed the benefits. Congress may want to consider whether any tai- 
lored expansion of present rights is necessary, 8 but a blanket mandate of “ac- 
cess” rights is unlikely to result in significant benefits overall. 

These are major objections, but the following issues are also significant: 

5. S. 2201 distinguishes “sensitive” from “non-sensitive” personal information. 9 
These categories seem arbitrary. For example, as Chairman Muris points out 
in his letter to you of this date, some might feel that information about the 
books they read is a lot more sensitive than their political affiliation. Moreover, 


3 And, apparently, an overwhelming majority do, according to the most recent evidence. Wil- 
liam F. Adkinson, Jr., Jeffrey A. Eisenach and Thomas Lenard, Progress & Freedom Founda- 
tion, “Privacy Online: A Report on the Information Practices and Policies of Commercial 
Websites” www.pff.org/pr/pr032702privacyonline.htm. 

4 The vendor may, of course, incur marketplace risk. 

5 Gramm-Leach-Bliley Act, 15 U.S.C. §§6801—6810; and Interagency Public Workshop: Get No- 
ticed: Effective Financial Privacy Notices (December 4, 2001) http://www.ftc.go v /hep /work- 
shops /gib / ind.ex.html. 

6 S. 2201, Section 403. 

7 Federal Trade Commission, “Online Profiling: A Report to Congress” (Part 2) (Statement of 
Commissioner Thomas B. Leary, Concurring in Part and Dissenting in Part)(July 2000) http:/ 
/ www.ftc.gov/os / 2000 / 07 / onlineprofiling. htmtiLEARY. 

8 The Fair Credit Reporting Act , 15 U.S.C. §§1681 et seq., and the Children’s Online Privacy 
Protection Act of 1998, 15 U.S.C. §§6501 et seq., are among the federal laws that grant access 
rights. 

9 S. 2201, Sections 102 and 401. 
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information that is merely “inferred” from data 10 may be just as sensitive as 
information “about” 11 certain aspects of an individual. 12 

6. The distinction between “clear and conspicuous” notice and “robust” notice 13 
seems unworkable as a legal mandate. Articulation of the latter undercuts the 
significance of the former. If some form of notice is ever mandated by Congress, 
it should be both. 

7. The bill is silent about the extent to which privacy protections travel with 
consumers’ personal information. In general, Gramm-Leach-Bliley’s privacy pro- 
visions require downstream recipients of covered data only to use the informa- 
tion in a fashion that is consistent with the consumers’ stated privacy pref- 
erences or only for uses that are exempted from the notice and choice require- 
ments (such as credit reporting). In this sense, the protections flow with the in- 
formation. I seriously question whether this concept can be applied across the 
economy, but without it, the privacy protections of the bill may be nullified. 

8. As Chairman Muris notes, some of the provisions of S. 2201 attempt to rec- 
oncile the legislation’s privacy protections with other federal statutes that allow 
limited but beneficial information sharing. However, as currently drafted, S. 
2201 might limit a variety of legitimate and beneficial information sharing 
which covered entities engage in and which Congress would like to continue. It 
is not clear, for example, whether information about transactions completed on- 
line could be communicated to credit bureaus. Without appropriate exclusions, 
any proposed privacy rules could have a serious anti-consumer impact. 

9. This bill would add to the emerging patchwork of federal privacy regulations 
that apply to personal information 14 and may ultimately result in ambiguous, 
conflicting, or impractical requirements for businesses, and greater confusion for 
consumers as well. For example, S. 2201 provides that “sensitive” and “non-sen- 
sitive” information would be subjected to different levels of protection. Dissemi- 
nation of “sensitive” information would be subject to consumer notice, opt-in 
choice, access and security. “Non-sensitive” information would be protected by 
“robust” notice, opt-out choice, access and security. The specifics of these re- 
quirements would all be defined in a future rulemaking. At the same time, 
“non-public” personal information collected by financial institutions (whether 
online or offline) would be subjected to Gramm-Leach-Bliley’s distinct notice, 
choice and security standards. 

Businesses that seek to comply with both of these regulations would be required 
to differentiate between online and offline information as well as any possible dif- 
ferences between the notice, choice, and security requirements in the two regulatory 
schemes. Additionally, our experience to date with Gramm-Leach-Bliley suggests 
that consumers may need less rather than more complex privacy disclosures in order 
to understand and execute their rights. It is unrealistic, at this point, to assume 
that consumers will comprehend the various categories of information as well as the 
protections that are attached to each category of information. 

10. The bill provides that “penalties” would be imposed for a violation of the 
statute, and that “redress” would be distributed to consumers in an amount not 
to exceed $200 (for breaches involving non-sensitive personal information). This 
confuses two separate concepts. Penalties are calculated without regard to con- 


io S. 2201, Section 401. 

US. 2201, Section 401. 

12 See, In the Matter of Eli Lilly and Co., FTC File No. 012-3214 (January 18, 2002) http :/ 
/ www.ftc.gov /opal 2002 101 / elililly.htm. This case involved the improper disclosure of the iden- 
tity of people who had regularly obtained information about a certain psychotropic medication, 
but did not disclose whether they actually took the medication. 

is S. 2201, Sections 102 and 401. 

1 4 Among the many federal privacy laws are: Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801—6810 
(covers financial institutions, non- public personally identifiable information and requires notice 
of information practices and an opt-out for sharing information with third parties); Children’s 
Online Privacy Protection Act of 1998, 15 U.S.C. §§6501 et seq. (covers Web site operators, pro- 
hibits collection, use and disclosure of children’s online information without verifiable parental 
consent and provide for parental access rights and imposes security requirements); Fair Credit 
Reporting Act, 15 U.S.C. §§ 1681 et seq. (covers credit bureaus and providers and users of credit 
data and grants consumers access rights and opt-out rights for certain uses of credit data); and 
Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104—191, 262(a), 110 
Stat. 1936 (1996) (codified as amended in scattered sections of 18, 26, 29 and 42 U.S.C.A.); 42 
U.S.C.A. §§ 1320d to 1320d-8 (West Supp. 1998)(covers a variety of health-related entities and 
health information and contains requirements that include notice, varying degrees of choice, ac- 
cess, and security). 
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sumer injury or ill-gotten gains, and are paid to the Treasury. Redress is in- 
tended to make consumers whole. 

11. Wholly apart from the burden issues identified above, the bill does not seem 
to recognize the potential conflict between access and security. Broad access 
rights will lead to the centralization of data which could result in very signifi- 
cant security breaches. This is a highly technical subject, on which there is no 
consensus among experts. 15 

I appreciate the opportunity to provide these comments and would be pleased to 
respond to any further questions. 

Sincerely, 

Thomas B. Leary, 

Commissioner 


The Chairman. Senator Cleland. 

STATEMENT OF HON. MAX CLELAND, 

U.S. SENATOR FROM GEORGIA 

Senator Cleland. Thank you very much, Mr. Chairman. 

The difference between the world we see today and the world we 
saw last year is quite stark. Given September 11, the support for 
our men and women fighting in uniform, fighting terrorism abroad, 
for law enforcement efforts to uncover terrorist activity at home 
have justifiably received support, and I fully support these efforts 
as well, but on the domestic front, protecting people’s privacy at 
home still remains for me an important issue as well. 

I am constantly reminded of this fact from stories of people who 
provide incorrect information to online businesses because of the 
fear that this information may be improperly used and from con- 
sumers choosing to bypass the many services the Internet provides 
for commercial purposes because they are concerned their online 
buying habits may be shared with others. 

The Senate has acted in a manner which I believe is balanced 
in its approached to online privacy. S. 2201, the bipartisan privacy 
legislation of which I am a proud cosponsor, incorporates many of 
the concerns of the high tech industry and balances those with a 
need of protections that have been advocated by civil liberties 
groups. 

Under the bill, sensitive information such as financial and health 
records, ethnic information, religious affiliation and social security 
numbers must be protected unless a person provides affirmative 
consent that this information can be shared. Other nonsensitive in- 
formation can be shared between companies unless the consumer 
opts out of this sharing. That is straightforward protection in its 
most basic form, and, like the Fair Credit Reporting Act, which has 
worked well for consumers, information will be accessible and cor- 
rectable. This approach is reasonable, as evidenced by the bipar- 
tisan support it has received. 

I believe that one of Yahoo’s former vice presidents for direct 
marketing correctly frames the issue when he describes Yahoo’s re- 
cent change in its privacy policy that would require opting out of 
receiving solicitations. Quote, they would be better off sending of- 
fers to a million people who said they want to receive a coupon 


15 Final Report of Federal Trade Commission Advisory Committee on Online Access and Secu- 
rity, published as Appendix D of Privacy Online: Fair Information Practices in the Electronic 
Marketplace: A Federal Trade Commission Report to Congress (May 2000) http:/ / www.ftc.gov / 
acoas / papers / finalreport.htm. 
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each day, than to send them to 10 million people and worry about 
whether you have offended them by finally going too far. This is 
basic marketing knowledge, and I see no reason why it should not 
apply to the Internet as well. 

We have a good privacy protection bill for consumers, and I ap- 
preciate the opportunity to work with the Chairman on perfecting 
this legislation. Thank you, Mr. Chairman. 

The Chairman. Thank you. We welcome the distinguished panel. 
Each of the statements of the distinguished witnesses are included 
in their entireties in the record. The Senators have had a chance 
to review those statements, and we would ask, in order that we 
leave some good time for questioning, that each of the witnesses 
summarize within, let us say, the 7-minute rule. Let me start over 
on your right and go right across and start with Mr. Torres and 
end with Mr. Dugan. 

Mr. Torres. 

STATEMENT OF FRANK TORRES, LEGISLATIVE COUNSEL, 
CONSUMERS UNION 

Mr. Torres. Good morning, Mr. Chairman, Members of the Com- 
mittee. Consumers Union appreciates the opportunity to discuss 
our support for S. 2201. S. 2201 is a sound privacy law that will 
increase consumer trust and confidence in the online marketplace. 
We commend you and other members who have sponsored this 
landmark bill. You and your staffs have worked hard to balance 
the consumer’s interest with those of the tech world, bending over 
backward in some cases to address their concerns. Here are some 
of the reasons we believe this bill is good. 

First, S. 2201 will provide both consumers and businesses with 
clear expectations of how online information will be treated, when 
it can be shared, and let consumers control the use of their per- 
sonal data. Up till now, privacy has been addressed sector by sec- 
tor. We often hear complaints from businesses that one sector is 
being treated differently from another. S. 2201 responds to those 
concerns. Consumers Union believes that basing the protection 
trigger on the type of information collected, rather than any spe- 
cific industry, is the right way to address online privacy. 

Second, S. 2201 advances the privacy debate by recognizing the 
distinction between sensitive and nonsensitive data. More sensitive 
personal data like financial and medical information warrant the 
strongest possible protections. A business should first obtain a con- 
sumer’s consent before protecting or sharing that information out- 
side the scope of the reason for which that data was given. 

Where data is less sensitive, a less rigorous approach may be ap- 
propriate. However, this only works if the notice is good. The ro- 
bust notice contemplated in S. 2201 will provide an up-front mech- 
anism for consumers to get privacy notices and exercise their opt- 
out. 

Third, S. 2201 offers a substantial improvement over the 
Gramm-Leach-Bliley Act by providing that sensitive financial infor- 
mation cannot be shared without the express consent of consumers, 
again for reasons outside the scope for which it was given. 

On the issue of preemption, Consumers Union believes that the 
strength of S. 2201 must be weighed against State privacy efforts. 
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S. 2201 could set a strong national standard. However, should the 
bill be scaled back, we would revisit our position on the preemption 
issue and the bill as a whole. 

Businesses that choose to collect and share sensitive personal in- 
formation should be held accountable for their handling of that 
data. This gets to the question of the private right of action. If 
wrongful disclosure of sensitive data after a consumer has said no 
leads to identity theft, for example, shouldn’t the consumer be com- 
pensated for his or her loss? 

S. 2201 exercises an abundance of caution on this issue, given 
the concerns of the industry. It applies only to sensitive data. The 
consumer must prove actual damages. The amount of damages is 
limited even for multiple breaches, and actions cannot be brought 
if the disclosure was caused by systems failure or an event beyond 
the control of the business. 

In fact, there are a number of privacy laws that are both opt-in 
and also allow consumers to go after the wrong-doers. We have not 
heard, as I am sure we would have, of any explosions of lawsuits 
in these areas. We know from privacy surveys that consumers are 
concerned about privacy. They are more concerned about online 
than offline privacy. They want Congress to act, and they favor an 
opt-in approach overall. This bill splits between an opt-in and an 
opt-out approach. Consumers are concerned about privacy because 
banks have shared sensitive information with felons, or have used 
sensitive information fraudulently. 

We are here because of Double Click, Toy Smart, and Yahoo and 
their practices. Maybe some think it is OK for banks to share cus- 
tomer data with felons, or that companies should be allowed to lie 
to consumers. We, however, believe that such behavior is unaccept- 
able. The reaction of some to S. 2201 and other privacy bills re- 
minds me of the story of Goldilocks. This bill is too hot, or this one 
is too cold. 

Unlike Goldilocks, however, some will never find the privacy law 
that is just right. They are going to oppose any privacy legislation 
that Congress offers. S. 2201 gives consumers control over their 
own information, and it places the burden where it should be, on 
businesses who want information to convince consumers to share 
it. Isn’t that how the marketplace should be working? 

Thank you, and I would be happy to answer any questions. 

[The prepared statement of Mr. Torres follows:] 

Prepared Statement of Frank Torres, Legislative Counsel, Consumers 

Union 

Consumers Union 1 appreciates the opportunity to present this testimony on the 
Online Personal Privacy Act, S. 2201. This hearing provides a forum to discuss why 
American consumers need meaningful and comprehensive online privacy protec- 


1 Consumers Union is a nonprofit membership organization chartered in 1936 under the laws 
of the State of New York to provide consumers with information, education and counsel about 
goods, services, health, and personal finance; and to initiate and cooperate with individual and 
group efforts to maintain and enhance the quality of life for consumers. Consumers Union’s in- 
come is solely derived from the sale of Consumer Reports, its other publications and from non- 
commercial contributions, grants and fees. In addition to reports on Consumers Union’s own 
product testing, Consumer Reports with approximately 4.5 million paid circulation, regularly, 
carries articles on health, product safety, marketplace economics and legislative, judicial and 
regulatory actions which affect consumer welfare. Consumers Union’s publications carry no ad- 
vertising and receive no commercial support. 
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tions, how S. 2201 accomplishes those goals, and Consumers Union’s support for the 
bill. 

Introduction 

Consumers Union has long been an advocate for strong privacy protections. Along 
with other consumer and privacy advocates we pushed for amendments to the 
Gramm-Leach-Bliley Act to try to provide consumers control over how their personal 
financial information is collected and whether it could be shared. We fought for 
strong medical privacy regulations and continue to push for privacy related to 
health like genetic information. Consumers Union is also part of a broad privacy co- 
alition that has supported online privacy protections. 

Stronger laws are needed to give consumers control over their personal informa- 
tion. Legislative efforts such as S. 2201 will help ensure that consumers are told 
about how and why information is collected and used, provided access to that data, 
and given the ability to choose who gets access to their most intimate personal data. 

S. 2201 represents a balanced and reasonable approach to online privacy. The bill 
reflects where there could be some agreement on the substantive privacy protections 
of notice, access and consent. 

Consumers Union believes that basing the protection trigger on the type of infor- 
mation collected, rather than on any specific industry sector is a right way to ensure 
consumer data is safeguarded. This is a logical way to consider the privacy issue. 
Consumers should not have to keep track of all the businesses entities that may 
be collecting information about them, especially in light of the growing number of 
cross-industry mergers and the passage of the Gramm-Leach-Bliley Act. S. 2201 pro- 
vide clear guidance for businesses as well. If you collect and use consumer data cov- 
ered by the bill, you know what you have to do. 

Background 

The right to be left alone appears to have been trumped by the pressure exerted 
by businesses to protect and expand their ability to gather personally identifiable 
information from consumers. No part of life is left untouched by data collection ac- 
tivities. Financial and medical records, what you buy, where you shop, your genetic 
code, are all exposed in a privacy free-for-all. Complete strangers can, for a price, 
have access to your most intimate secrets. Often, consumers have no choice in 
whether or not information is collected and no choice in how it is used. 

Do consumers care about their privacy? You bet they do. 

• According to a survey commissioned by STAR, a subsidiary of Powell Tate, con- 
ducted by SWR Worldwide, many consumers report they have informed their 
primary financial institution of their desire to opt out (31 percent) of informa- 
tion sharing. And 40 percent plan to opt out in the next 12 months. This opt 
out rate is significantly higher than that reported by financial institutions. 

• The survey, conducted after September 11, also found that more than half of 
the respondents (57 percent) expressed concern that their primary financial in- 
stitution may be sharing personal or financial information with its affiliates or 
third parties. The majority (59 percent) also reported that their level of concern 
is about the same as it was a year ago. 

• A recent report by KPMG, entitled A New Covenant With Stakeholders: Man- 
aging Privacy as a Competitive Advantage, cites a survey of U.S. voters by the 
Public Opinion Strategies firm last year indicating that strengthening privacy 
laws to assure that computerized medical, financial or personal records are kept 
private is the highest-rated issue of concern to voters nationwide. 

• KPMG also noted that increasingly, individuals want to choose who does and 
does not have access to their medical, financial, purchasing, and other personal 
information. And, if access is needed, individuals would like to be able to specify 
for what purposes and to what extent access will be granted. They also want 
specific assurances that the information they consider private is, in fact, kept 
private by the organizations with which they do business. 

• Forrester Research found that 72 percent of consumers participating in a survey 
last year considered it a violation of privacy for businesses to collect and then 
supply personal data to other companies. 94 percent of Internet users want pri- 
vacy violators to be disciplined. 70 percent said that Congress should pass legis- 
lation protecting privacy on the Internet. In December, Forrester found 69 per- 
cent of Americans worried about their financial privacy. 

• Other surveys have estimated that concerns about privacy and lack of trust cost 
U.S. companies $12.4 billion in 2000 because consumers were reluctant to share 
their personal information over the Internet. 
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• A 2001 study by the Markle Foundation found that by more than a 3 to 1 mar- 
gin (63-19 percent) the public says it is more concerned about companies col- 
lecting personal information online than offline. 

• Nearly two-thirds of the public, 64 percent, say that the government should de- 
velop rules to protect people when they are on the Internet, even if it requires 
some regulation of the Internet. 

• The study also found that the public is looking not only for protection by others, 
but they want an ability to control their own online experience, and the uses 
that others might make of what they do online. By a strong 58-37 percent mar- 
gin, the public prefers an opt-in regime. 

• Finally, the survey concluded that the public perceives that the Internet, al- 
though useful, is not yet a medium that enables them to hold others account- 
able when they go online. 

All these surveys lead to the same conclusion: the majority of consumers are con- 
cerned about the threats to their privacy while online. An Ernst and Young report 
Privacy Promises Are Not Enough , noted that “at the core of this trust issue is the 
fact that consumers do not trust businesses to protect their privacy or follow their 
stated privacy policies.” 

Increasingly, consumers want to choose who does and does not have access to 
their medical, financial and other personal information. Consumers want to be able 
to specify for what purposes and to what extent access to their information will be 
granted. Consumers want assurances that the information they consider sensitive 
will be kept private by the businesses they use. Often, consumers have no choice 
in whether or not information is collected and no choice in how it is used. Today, 
any information provided by a consumer for one reason, such as getting a loan at 
a bank, can be used for any other purposes with virtually no restrictions. 

Comments on S. 2201 

There are a number of elements of privacy protection that have become clearer 
over the course of our involvement in the privacy debate which are reflected in S. 
2201 : 

• A distinction can be made between sensitive and non-sensitive information. S. 
2201 advances the privacy debate by recognizing the distinction be- 
tween sensitive and non-sensitive data. We have commented that more sen- 
sitive personal data, like financial and medical information, warrant the strong- 
est possible protections. For this type of data we favor an approach that re- 
quires a business to obtain the consumer’s consent prior to sharing that data. 
For other data collected, a lessor standard may be appropriate. We support this 
approach only if clear notice is given to the consumer prior to the collection of 
the data and that the consumer is given the opportunity up front to choose not 
to have his or her information shared with others. We encourage providing spe- 
cific and uniform mechanisms for exercising an opt-out. 

For telephone marketing several states are implementing “do-not-call” lists. 
Even the Direct Marketing Association maintains such a list. A one-stop uni- 
versal opt-out would be a useful tool for consumers. We anticipate that the Fed- 
eral Trade Commission will move forward soon on a final rule for a national 
do-not-call list. Perhaps a similar mechanism for the online world should be en- 
couraged. 

• Consumers need a stronger law to protect their personal financial information. 
S. 2201 offers a substantial improvement over the privacy provision of 
the Gramm-Leach-Bliley Act by providing that sensitive financial infor- 
mation cannot be shared with affiliates or third parties without the ex- 
press consent of the consumers. S. 2201 would allow financial institutions 
to share less sensitive data with their affiliates under the opt-out standard. 

The Gramm-Leach-Bliley Act falls far short of providing meaningful privacy 
protections in the financial setting. Loopholes in the law and in this draft rule 
allow personal financial information to be shared among affiliated companies 
without the consumer’s consent. In many instances, personal information can 
also be shared between financial institutions and unaffiliated third parties, in- 
cluding marketers, without the consumers consent. 

Consumers across the country are receiving privacy notices from their financial 
institutions. Unfortunately these opt outs, in reality, will do little or nothing to 
prevent the sharing of personal information with others. Other loopholes allow 
institutions to avoid having to disclose all of their information sharing practices 
to consumers. In addition, the GLB does not allow consumers to access to the 
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information about them that an institution collects. While states were given the 
ability to enact stronger protections, those efforts have met fierce resistance by 
the financial services industry. 

Reports and surveys conducted by the Privacy Rights Clearinghouse show how 
poorly written and difficult to understand the financial privacy notices are. De- 
spite those obstacles, a recent survey indicates that consumers are choosing to 
opt-out. 

• Consumers’ health information should not be shared without their express con- 
sent. S. 2201 protects personal health information across the board — 
under the bill health information cannot be shared without the prior 
consent of the consumer. There appears to be widespread agreement on this 
principle. 

Consumers should not be put in the position of privacy intrusions when they 
go online to seek medical advice or information about prescription drugs, for ex- 
ample. Those seeking medical treatment are most vulnerable and should be al- 
lowed to focus on their treatment or the treatment of their loved ones, rather 
than on trying to maintain their privacy. It is unfair that those citizens must 
be concerned that information about their medical condition could be provided 
to others who have no legitimate need to see that information. 

• S. 2201 requires notice and consent prior to the sharing of personal in- 
formation with others. Online entities that collect personal information 
should be responsible for providing notice to consumers if they intend to share 
personal data with others and allow consumers to opt-out of such data collection 
and sharing third parties. 

• S. 2201 will allow consumers to opt-out of sharing their less sensitive 
data. This requirement should be easy to implement, in most cases consumer 
choice can be provided at the point where the information is collected. The opt- 
out for less sensitive information is distinguishable from the stricter regime 
that would apply to more sensitive financial and medical data. An opt-out may 
be adequate for such information provided that the notice and choice is given 
up-front, prior to the collection, and is clear and in plain English. Consumers 
Union believes that the “robust” notice called for in S. 2201 will provide con- 
sumers with the type of notice to get the job done and avoid the pitfalls of the 
financial privacy notices. 

This is a reasonable step. Consider the position of the former Vice President of 
Yahoo!, Seth Godin, who has written about “permission marketing. He says that 
about 38 percent of the people that are given a chance to tell his company their 
interests to get information about things that match their profile do, in fact, 
opt-in. He goes on to call opt-out a sham. 

• Businesses should be responsible for safeguarding the sensitive data of 
Internet users if they choose to collect and use that data. Businesses that 
collect and share sensitive personal information should be held accountable if 
that information is shared after a consumer has said no to such sharing of in- 
formation. For example, if disclosure of sensitive financial data without the con- 
sumer’s consent is the cause of that consumer’s identity being stolen, shouldn’t 
the businesses that sold the information be held accountable and be responsible 
for that consumer’s loss? 

The approach in S. 2201 is reasonable on this issue. It provides a private right 
of action only related to the misuse of sensitive personal data. Even the, the stand- 
ard is high — a consumer can only recover upon a showing of actual harm. Actions 
cannot be brought if a systems failure or an event beyond the control of the business 
caused the disclosure. 

We have not seen evidence of an onerous litigation burden despite a number of 
prior privacy statutes that allow such action. Most of these laws have been on the 
books for years: 

• Section 616 of the Fair Credit Reporting Act — up to $1,000 for knowing or 
willful noncompliance plus punitive damages and actual damages for negligent 
noncompliance; 

• 47 U.S.C. Section 551 Cable Communications Policy Act — $1,000 or actual 
damages plus punitive damages; 

• Section 2520 of the Electronic Communication Privacy Act — between $500 
and $10,000 and actual damages; 

• 18 U.S.C. Section 2710 Video Privacy Protection Act — $2,500 in actual dam- 
ages plus punitive damages; 
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• 47 U.S.C. Section 227 Telephone Consumer Protection Act — up to $500 for 
each violation. 

• The strength of S. 2201 must be balanced against any preemption of 
state law. In response to consumer concerns about privacy several states are 
poised to act on these issues. We consider the work of the states vital. Con- 
sumers Union believes that it is critical to seek the input from the states, in- 
cluding state attorneys general and legislators, before deciding to preempt state 
privacy efforts. As long as the underlying privacy standards remain strong, S. 
2201 will set a strong national privacy standard. Should S. 2201 be weakened 
Consumers Union would reconsider its continued support for the bill and urge 
that states be allowed to pass tougher privacy laws. Let us be clear, should the 
other provisions in the bill change, we would reconsider our position on preemp- 
tion. Preempting state law is predicated on getting the strongest possible con- 
sumer protection in the underlying legislation. 

The Online Marketplace 

The ability to collect, share and use data in all sorts of ways boggles the mind. 
Consumers, in many cases, aren’t even aware that data is being collected, much less 
how profiles about them are created. The information collection overload is particu- 
larly troublesome when it becomes the basis for decisions made about an indi- 
vidual — like how much a product or service will cost. 

Cross industry mergers and consolidations have given financial institutions un- 
precedented access to consumers’ personal data. Technology has made it possible 
and profitable to mine that data. No law prevents businesses from using data to 
choose between desirable borrowers and less profitable consumers the institutions 
may want to avoid. Special software helps guide sales staff through scripted pitches 
that draw on a customer’s profile to persuade the account holder to buy extra, and 
in some cases junk products. 

Some web-based businesses already seem to be willing to move beyond the privacy 
wasteland where GLB left consumers. There no longer appears to be a question, for 
some, of whether consumers should get notice, access, and control over their infor- 
mation. The challenge is how to effectively put these principles into practice. 

A May 2000 Consumer Reports survey of web sites, Consumer Reports Privacy 
Special Report, Big Browser is Watching You , shows that consumers’ privacy is not 
being protected online. The report also shows that privacy notices at several popular 
sites are inadequate and vague. This data, as do other recent web surveys, shows 
the state of consumer privacy online continues to hit or miss. 

Privacy policies are not a substitute for privacy protections, especially when some 
companies don’t even follow what is in their policies. Just because a company has 
a privacy policy does not mean that they follow Fair Information Practices. And con- 
sumers are skeptical about self-regulation. 

The marketplace is changing daily. The Wall Street Journal reports that Time 
Warner has the names, addresses and information on the reading and listening hab- 
its of 65 million households. USA Today says Time Warner has access to informa- 
tion about its 13 million cable subscribers and from its other businesses, like Time 
and People magazine. With so much information, how will the competitiveness of 
the marketplace be impacted by this merger? Will companies who seek to operate 
under a higher privacy standard be at a competitive disadvantage and unable to 
compete against a larger entity that is able to make unrestricted use of the personal 
information it obtains? 

Do Consumers Benefit from Data Sharing? 

Financial institutions promised that in exchange for a virtually unfettered ability 
to collect and share consumers’ personal information, that consumers would get bet- 
ter quality products and services and lower prices. This is why, they claimed, con- 
sumers shouldn’t have strong privacy protections like the ability to stop the sharing 
of their information among affiliates, or access to that information to make sure its 
accurate. Let’s look at reality. 

Bank fees for many consumers continue to rise. Information about financial 
health may actually be used to the consumer’s determent if it is perceived that the 
consumer will not be as profitable as other customers. Both Freddie Mac and Fannie 
Mae say between 30 and 50% of consumers who get subprime loans, actually qualify 
for more conventional products, despite all the information that is available to lend- 
ers today. Credit card issuers continue to issue credit cards to imposters, thus per- 
petuating identity theft, even when it seems like a simple verification of the victim’s 
last known address should be a warning. Instead of offering affordable loans, banks 
are partnering with payday lenders. And when do some lenders choose not to share 
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information? When sharing that information will benefit the consumer — like good 
credit histories that would likely mean less costly loans. 

Chase Manhattan Bank, one of the largest financial institutions in the United 
States, settled charges brought by the New York attorney general for sharing sen- 
sitive financial information with out-side marketers in violation of its own privacy 
policy. In Minnesota, U.S. Bancorp ended its sales of information about its cus- 
tomers’ checking and credit card information to outside marketing firms. Both of 
these were of questionable benefit for the bank’s customers. Other institutions sold 
data to felons or got caught charging consumers for products that were never or- 
dered. 

Maybe the right approach is to let institutions that want a consumer’s informa- 
tion to be put in a position to convince that consumer that some benefit will be de- 
rived from a willingness to give that information up to the institution. Such an ap- 
proach may increase trust in financial institutions and let consumers have control 
and choice over their own personal information. The same technology that enables 
vast amounts of data to be collected can be used to give consumers access to that 
data. It is a simple thing to tell consumers what is collected and how it is used. 

Conclusion 

Consumers face aggressive intrusions on their private lives. Often a consumer is 
forced to provide personal information to obtain products or services. Many times 
information that has been provided for one purpose is then used for another reason, 
unbeknownst to the consumer. Financial institutions, Internet companies health 
providers and marketers have been caught crossing that line. Meanwhile, identity 
theft is at an all time high. 

Sound and comprehensive privacy laws will help increase consumer trust and con- 
fidence in the marketplace and also serve to level the playing field. These laws do 
not have to ban the collection and use of personal data, merely give the consumer 
control over their own information. 

Consumers should have the right to be fully and meaningfully informed about an 
institution’s practices. Consumers should be able to choose to say “no” to the sharing 
or use of their information for purposes other than for what the information was 
originally provided. Consumers should have access to the information collected 
about them and be given a reasonable opportunity to correct it if it is wrong. In 
addition to full notice, access, and control, a strong enforcement provision is needed 
to ensure that privacy protections are provided. 

S. 2201 provides the privacy protections consumers deserve. 

The Chairman. Very good. Ms. Lawler. 

STATEMENT OF BARBARA LAWLER, CHIEF PRIVACY 
OFFICER, HEWLETT-PACKARD COMPANY 

Ms. Lawler. Good morning, Mr. Chairman, Members of the 
Committee. I thank you for the invitation to appear today to dis- 
cuss the need for stronger Federal protections for consumer privacy 
and comment specifically on S. 2201. 

My name is Barbara Lawler, and as the privacy manager for HP 
I have global responsibility for HP’s privacy policy management, 
implementation, compliance, education, and communication, both 
for offline and online approaches. We want to commend you, Mr. 
Chairman, and the Ranking Minority Member, Senator McCain, 
and the other Members of the Committee for your commitment to 
finding solutions to address consumer concerns about protecting 
their privacy. 

3 years ago, when HP first advocated the need for a Federal ini- 
tiative on privacy, we were virtually alone as a corporation in advo- 
cating this position. We think times have changed, and that many 
more companies and associations will support reasonable baseline 
Federal legislation for protecting consumers’ privacy. It is time to 
develop national privacy standards. 
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Let me start by briefly giving you an overall picture of how we 
manage privacy at HP. We apply a universal global privacy policy 
built on the fair information practices mentioned today by the 
Committee, notice, choice, accuracy and access, security, and over- 
sight. In any language the core commitments are the same, with 
minimal localization required to reflect local country laws. Some 
key provisions in our policy include no selling of customer data, no 
sharing of our customer data outside HP without that customer’s 
permission, customer access to core contact data, and a customer 
feedback mechanism. We insist, through contractual obligations, 
that suppliers must abide by our policies. 

On January 29 of 2001, HP became the first high tech company 
to self-certify with the U.S. Department of Commerce a safe har- 
bor. This demonstrates our continued leadership to strong privacy 
practices in the U.S., and because HP manages to a global privacy 
policy, citizens in the U.S. enjoy the same benefits as those in the 
EU and elsewhere from HP’s privacy policy. 

I would now like to turn to the language of S. 2201. First of all, 
let me say that we are pleased to see that the bill bases its notice 
and consent requirements on clear and conspicuous disclosure. HP 
has always felt that informed choice depends upon consumers hav- 
ing available the information they need to make informed choices 
about with whom they wish to share their personal information. 

We are pleased that section 102 recognizes the importance of re- 
quiring this basic consumer protection. We are also pleased that 
there is a place in this legislation for privacy-enhancing tech- 
nologies like P3P that enhance the notice and choice capabilities 
for consumers. 

We are also pleased that the legislation does not take an either- 
or stance with regard to the opt-in, opt-out debate. We believe that 
the continued free flow of nonsensitive personal data with the re- 
sulting economic benefits for both consumers and businesses may 
be best served by an opt-out requirement, allowing room for com- 
petitive differentiation. For personal information that is sensitive, 
an opt-in requirement will give consumers greater confidence in 
participating in online transactions. HP believes a very construc- 
tive discussion can be held as to where the demarcation should be 
made between opt-in and opt-out. 

We also agree on the importance of giving consumers reasonable 
data access to evaluate the accuracy of information collected. An 
observation that we would make is that from our experience, data 
access can be a very complex process. Many companies have mul- 
tiple data bases that collect data from a number of sources and me- 
diums, and they may not be interoperable. 

An integral problem related to this is that of authentication. 
Confirming that somebody is indeed who they say they are when 
they request data access could lead into security and identity theft 
issues. Creating a potential security breach or identity theft prob- 
lem while trying to address data access is a very real concern. 

As to enforcement, we are pleased that the legislation recognizes 
the importance of the role of the FTC, and we also agree that there 
is a role for the State Attorneys General in the enforcement of this 
legislation, and we concur with the balance achieved in the bill be- 
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tween the rights of States to protect their citizens and the right of 
the FTC, as the expert agency, to interpret its rules. 

One suggestion we would like to make is to find a role for self- 
regulatory privacy seal programs that have standards equal to or 
above those required under this legislation. The more eyes and ears 
available to resolve privacy disputes will benefit consumers, allow- 
ing the FTC to certify reputable seal programs to take a first crack 
at resolving disputes. 

Moving to ramp up and comment on the areas where we do have 
concerns, we must state our strong opposition to the concept of the 
private right of action for a privacy violation. We agree with the 
legislation that there is a need for strong, bright lines as to what 
businesses must do to protect consumer privacy. As we have said, 
we welcome a healthy debate on opt-in and opt-out, and FTC and 
State AG enforcement. We would urge the Committee to consider 
adding language that would allow reputable seal programs to help 
in protecting consumer privacy. All these initiatives add clarity and 
certainty to the job of businesses protecting consumer privacy. 

We are concerned that a private right of action will create less 
certainty and clarity in the marketplace as each court will supply 
its own definition of what constitutes actual harm or reasonable ac- 
cess or reasonable security. Calibrating actual monetary loss from 
privacy evaluations could become an art rather than a science, as 
in each case each court, each plaintiff lawyer having their own 
view. 

In other issues addressed in the bill, we believe that there must 
be a recognition that the offline world and the online world should 
be subject to the same privacy rules. We would be pleased to work 
with the Committee on addressing that need for convergence, rec- 
ognizing the differences in offline and online implementation. 

I want to thank you, Mr. Chairman, for the opportunity to testify 
on S. 2201. HP looks forward to working with the Committee in de- 
veloping and passing practicable consumer privacy protection this 
Congress. I would be pleased to answer any questions you may 
have. 

[The prepared statement of Ms. Lawler follows:] 

Prepared Statement of Barbara Lawler, Chief Privacy Officer, 
Hewlett-Packard Company 

Mr. Chairman, Members of the Committee, I thank you for the invitation to ap- 
pear today to discuss the need for stronger federal protections for consumer privacy, 
and comment specifically on S. 2201. 

My name is Barbara Lawler, and as the HP Privacy Manager, I have global re- 
sponsibility for Hewlett-Packard’s privacy policy management, implementation, com- 
pliance, education and communication, in both the online and offline worlds. 

By way of background, HP is a leading provider of computing and imaging solu- 
tions and services. As a company we are focused on making technology and its bene- 
fits accessible to individuals and businesses through networked appliances, bene- 
ficial e-services and an “always on” Internet infrastructure. 

As a high-tech company that sells to the consumer market, we are deeply com- 
mitted to strong privacy practices. HP believes that self-regulation with credible 
third-party enforcement — such as the Better Business Bureau privacy seal pro- 
gram — is the single most important step that businesses can take to ensure that 
consumers’ privacy will be respected and protected online. We have also felt for 
some time, that there must be a ‘floor’ of uniform consumer privacy protections 
which all companies must adhere to. HP has testified on a number of occasions be- 
fore Congress about our support for strong, practicable, federal privacy protections. 
We at HP have had much experience in developing and managing consumer-friendly 
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privacy policies and practices, so we welcome the opportunity to share our experi- 
ences with the Committee about what we think works — and what may not work — 
in crafting privacy standards. 

We want to commend you, Mr. Chairman, the ranking minority Member (Senator 
McCain), and the other Members of the Committee for your commitment to finding 
solutions to address consumer concerns about protecting their privacy. Three years 
ago, when HP first advocated the need for a federal initiative on privacy, we were 
virtually alone as a corporation in advocating that position. We think times have 
changed, and that many more companies and associations will support reasonable, 
baseline federal legislation for protecting consumers’ privacy. It is time — past time — 
to develop national privacy standards. We welcome your leadership in working 
through the difficult issues that must be resolved if we are to see privacy legislation 
enacted this year, and we welcome your bill, Mr. Chairman, as a starting point for 
those discussions. 

Let me start by giving you an overall picture of how we manage privacy at Hew- 
lett-Packard. HP applies a universal, global privacy policy built on the fair informa- 
tion practices: notice, choice, accuracy & access, security and oversight. Whether in 
English, French or Japanese, the core commitments are the same, with minimal lo- 
calization required to reflect local country laws. Key elements of our policy include 
no selling of customer data, no sharing of customer data outside HP without cus- 
tomer permission, customer access to core contact data and a customer feedback 
mechanism. We insist through contractual obligations that suppliers must abide by 
our policy. Our consumer business requires opt-in for email contact and our B2B 
business is moving to opt-in as well. 

The HP policy can be viewed in its online form at the lower left-hand comer of 
every hp.com web page: http: // www.welcome.hp.com / country / us / eng / privacy .htm 

The guiding principles for managing data privacy at HP are: 

• customers control their own personal data 

• give customers choices that enhance trust and therefore enhance the business 

• put the customer in the lead to determine how HP may use information about 
them; and 

• have the highest integrity in practices, responses and partners 

HP people apply the privacy policy to marketing, support, e-services and product 
generation using a set of HP-developed tools called the “Privacy Rulebook” and the 
“Web Site Data and Privacy Practices Self-Assessment Tool”. 

A sample of current HP global privacy initiatives include: 

• company-wide training on implementing privacy standards 

• new application development and business rules for company-wide multiple cus- 
tomer database consolidation 

• Platform for Privacy Preferences (P3P) implementation for our most active web 
sites 

• Supplier contract compliance assessments 

I want to underscore some important distinctions around the ‘opt-in’ discussion 
and add some clarity. It’s HP policy to never sell or share our customer data without 
their express permission. HP has many business relationships with other compa- 
nies. Companies that act as service providers or suppliers to HP are contractually 
required through a Confidential Non-Disclosure Agreement and Personal Data Pro- 
tection Agreement to abide by HP’s privacy policy. 

HP’s strategic partnerships and co-marketing partners comprise a different class 
of business relationships. It is these relationships to which the HP opt-in policy re- 
quirement described above applies. 

Applying the opt-in standard for marketing contact within HP is an order of mag- 
nitude more difficult, but we’re committed because it’s the right thing to do for our 
customers. Implementing opt-in for marketing contact requires us to evaluate all 
customer databases and customer privacy choice data elements, re-engineer the data 
structures, systems and associated processes, change the privacy question format 
itself, develop implementation guides and tools, and communicate the new standard 
HP-wide. Some of the challenges we face are in the areas of managing a program- 
specific customer privacy choice with a ‘topdown’ HP request and resolving a large 
volume of data where the privacy choice is unknown. 

On January 29th, 2001, HP became the first high-tech company to certify with 
the U.S. Department of Commerce for Safe Harbor. This demonstrates our contin- 
ued leadership to strong privacy practices in the U.S. The Safe Harbor framework 
offers consistency and continuity for business operations conducted between HP 
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sites located in the United States and the European Union; this is critical for a glob- 
al enterprise. And because HP manages a global privacy policy, citizens in the U.S. 
enjoy the same benefits as those in the EU and elsewhere. 

Finally, I would like to put the privacy issue into the larger perspective of con- 
sumer confidence in the global electronic marketplace. While consumers are con- 
cerned about their privacy online, they are also concerned about whether their cred- 
it cards are safe online, and whether if they order a blue vase from a website in 
Paris or Tokyo, they will get what they order in the quality and condition they ex- 
pected. In order for online businesses to truly earn the trust of consumers, we need 
to expand ongoing efforts to make sure that the global electronic marketplace is a 
clean, well-lighted venue for both consumers and businesses. For example, con- 
sumers need to have confidence that when they do business across national borders, 
there will be a redress system in place should anything go wrong with the trans- 
action. 

HP is working with 70+ businesses from around the world through the Global 
Business Dialogue for electronic commerce to develop a consensus on worldwide 
standards on consumer redress systems, that is of Alternative Dispute Resolution 
(ADR). In this effort, we are working with consumer groups and the FTC and the 
European Commission so that consumers and businesses will be able to quickly, 
fairly and efficiently resolve complaints related to online transactions. 

I would now like to turn to the language of S. 2201. 

First of all, we are pleased that the bill bases its “Notice and Consent” require- 
ments upon “clear and conspicuous” disclosure. HP has always felt that informed 
choice depends upon consumers having available the material information they need 
to make an informed choice with whom they wish to share their personal informa- 
tion. “Clear and conspicuous” is a term of art used by the FTC to provide robust 
notification, and we are pleased that Section 102 recognizes the importance of re- 
quiring this basic consumer protection. We are also pleased that there is a place in 
the legislation for privacy enhancing technologies such as P3P, which enhance no- 
tice and support capabilities for consumers. 

We are also pleased that the legislation does not take an ‘either-or’ stance on the 
opt-in, opt-out debate. We think the continued free flow of non-sensitive data, with 
the resulting economic benefits for both consumers and businesses, will be best 
served by an opt-out requirement and allowing room for competitive differentiation. 
For personally identifiable information that is of a sensitive nature (as defined by 
S. 2201), an opt-in requirement will most likely give consumers greater confidence 
in participating in online transactions. HP believes a very constructive discussion 
can be held as to where the demarcation should be made between opt-in and opt- 
out. 

We agree that as a general rule, the consent or denial of a consumer for permis- 
sion to collect or disclose personally identifiable information should remain in effect 
until the consumer decides to change their preference. 

We also agree on the importance of giving consumers reasonable data access to 
evaluate the accuracy of information collected. An observation we would make is 
that from our experience, data access can be a complex process. Many companies 
have multiple databases that collect data from a number of sources and mediums, 
and which may not be interoperable. Merging these data files is a prolonged, expen- 
sive process, though a process that is underway throughout industry. 

A commensurate problem is that of authentication. Ensuring that someone is in- 
deed who they say they are when they request access may bleed into security and 
identity theft issues. Creating a security breech or an identity theft problem while 
trying to address the access issue is a real concern. 

Having said that, we would like to work with the Committee to find practicable, 
secure and cost-effective, solutions to the problems of access. 

As to enforcement, we are pleased that the legislation recognizes the importance 
of the role of the FTC. Utilizing clear statutory parameters, we welcome an FTC 
rulemaking that will allow an opportunity to develop implementation rules and to 
help define with greater specificity the terms of the legislation. We also agree that 
there is a role for the state Attorneys General in the enforcement of this legislation, 
and we concur with the balance achieved in the bill, between the rights of states 
to protect their citizens, and the right of the FTC — as the expert agency — to inter- 
pret its rule. 

One suggestion we would make, is to find a role for self-regulatory privacy seal 
programs that have standards equal or above those required under tbis legislation. 
As we have stated, we belong to the BBB privacy program, which we believe is quite 
strict, and which requires that any consumer complaint must be addressed through 
a dispute resolution process. The more eyes and ears available to resolve privacy 
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disputes will benefit consumers, and allowing the FTC to certify reputable seal pro- 
grams to take a first crack at resolving disputes would be beneficial. 

Turning to areas of the bill where we have concerns, we must state our strong 
opposition to the concept of a private right of action for a privacy violation. We agree 
with the legislation that there need to be strong, bright lines as to what businesses 
must do to protect their customers’ privacy. As we have said, we welcome a healthy 
debate on opt-in and opt-out; we welcome FTC and state Attorneys General enforce- 
ment, and we would urge the Committee to consider adding language that will allow 
reputable seal programs to help in protecting consumer privacy. All of these initia- 
tives add clarity and certainty to the job of protecting consumer privacy. We are con- 
cerned that a private right of action will create less certainty and clarity in the mar- 
ketplace, as each court will supply its own definition as to what constitutes “actual 
harm” or “reasonable access” or “reasonable security”. Calibrating “actual monetary 
loss” from privacy violations will therefore be an art rather than a science, as on 
each case, each court, and each plaintiff lawyer having their own view of the matter. 

Consumers deserve adequate protections, and this bill — as we have described — 
fills a void in privacy protections. At the same time, businesses need certainty as 
to the rules of the road, so that they can meet the obligations required to address 
privacy issues. A private right of action in this dynamic environment places this 
need for clarity and certainty on its head; legislation with a private right of action 
will offer consumers and businesses less certainty at a time when we need more 
clarity as to what should be the national, uniform privacy compact. 

On other issues addressed in the bill, we believe that there must be a recognition 
that the offline world and online world should be subject to the same privacy rules. 
We would be pleased to work with the Committee in addressing that need for con- 
vergence recognizing the differences in offline and online implementation. 

We also believe that “Whistleblower” law should be uniform across industries and 
therefore not considered for inclusion in this bill. Industry should not be 
piecemealed by variations in employment law relating to whistleblowers. And 
again, — for the reasons stated above — we are concerned about a private right of ac- 
tion included in the Whistleblower section. 

Thank you Mr. Chairman for the opportunity to testify on S. 2201. HP looks for- 
ward to working with the Committee in developing — and passing — practicable con- 
sumer privacy protection, this Congress. I would be pleased to answer any questions 
that you may have. 

The Chairman. Thank you very much. Mr. Rotenberg. 

STATEMENT OF MARC ROTENBERG, EXECUTIVE DIRECTOR, 
ELECTRONIC PRIVACY INFORMATION CENTER 

Mr. Rotenberg. Thank you very much, Mr. Chairman, Members 
of the Committee. My name is Marc Rotenberg. I am executive di- 
rector of the Electronic Privacy Information Center, and I would 
like to thank you for the opportunity to be here this morning. We 
have worked with a wide range of privacy and consumer organiza- 
tions over the years since your original bill was introduced to seek 
support for important privacy legislation in the Congress. 

I think it is clear that across the country public support for pri- 
vacy protection is still very high, even with the progress which in- 
dustry has made over the last several years, and there has been 
progress, there is still a fundamental lack of trust and confidence 
in the online marketplace. 

Legislation does not solve the problem of privacy protection, but 
I think it will take a big step forward in establishing the type of 
trust, confidence, stability, and continuity that allow businesses 
and consumers to participate in this new electronic environment 
with confidence that the personal information will be protected. 
The types of problems which the marketplace simple cannot solve 
are clear today. You can enter into a relationship with an online 
business, read a privacy policy, provide your personal information, 
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and the company then decides to change its privacy policy. What 
do you do at that point? 

You can go online, provide information to a business which per- 
haps is not so well-run. Eventually, they seek the protection of 
bankruptcy law, and they take their customer data base and they 
put it online to the highest bidder. 

You can go to a commercial web site, look at a 20-page privacy 
policy and decide you have got better things to do with your life, 
click “I agree,” and take your risks. 

What the legislation does is to try to deal with those types of 
problems that arise specifically in the online environment and 
make it difficult for consumers to have the type of confidence and 
assurance that they need when they type in the names of their 
children, their credit card numbers, where they live, their spouse’s 
names, and so forth. 

Now, as you may know, this version of the bill does not go as far 
as many privacy and consumer groups would like to go. We believe 
as a general matter that opt-in is a better approach, because it 
gives consumers better control. We think preemption raises serious 
concerns about the ability of States to protect the interest of their 
own citizens, and there are other areas as well where we think fur- 
ther changes might be necessary, but nonetheless I think this is an 
important step forward. 

Now, in my testimony I draw attention to a few areas that I hope 
the Committee will consider as you look at the legislation a little 
bit more closely, and I am going to highlight them now very briefly. 
I am concerned about the law enforcement exception, which is actu- 
ally a new issue in the drafting of this bill, simply because it is so 
broad. 

The way privacy laws typically work is to create a presumption 
against disclosure and then to allow exceptions in such cir- 
cumstances as a warrant or a court order to allow criminal inves- 
tigations to go forward, but that exception has to be narrowly craft- 
ed to ensure that any person who shows up in a business with a 
piece of paper saying they work for a Government agency is not 
able to get every record in the possession of that business, and I 
think it would be in the interest of both businesses and consumers 
to try to narrow that exception. 

I also think if it were possible to expand the access provision so 
that people would know a bit more about the information about 
them that is held by the companies, that would be beneficial. As 
the bill is currently drafted, consumers will largely know only the 
information that they provide to the company, which is, frankly, 
fairly self-evident. 

Let me say a couple of words, if I may, about the enforcement 
provision, because I have read a number of comments in the news 
stories from folks speaking for industry about this provision that 
it makes me wonder if they are reading the same bill that I was 
reading. The bill creates a private right of action, without question, 
but this is a private right of action that I cannot imagine any good 
attorney wanting to take a case based upon, and the reasons are 
very simple. 

First of all, it requires a showing of actual harm, which is ex- 
tremely difficult to do in privacy cases, and the reason that Federal 
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statutes typically set out a liquidated damages amount of $2,500, 
or $1,000 or whatever an appropriate amount may be, is because 
it is hard to show harm when personal information is disclosed. 

But the second thing that this bill does is to take out any com- 
pensation, any award of attorney’s fees or for actual costs incurred 
that a court would routinely award. In other words, even if you 
prevail, even if you are able to show actual harm under the private 
right of action set out in this bill, you are only going to be com- 
pensated for the amount of your harm and any costs associated 
with your litigation will not be recoverable. 

Now, I think this is just too high a burden for people who are 
trying to seek redress where their rights have been lost, and I 
think you have two solutions. One, you can put back in the type 
of compensation that you would routinely receive in Federal litiga- 
tion, which includes reasonable attorney’s fees, or you can say, if 
you want to bring a privacy case, go to small claims court, and this 
is the approach that was taken in the Telephone Consumer Protec- 
tion Act, and I think that approach could work as well, but this 
current approach, contrary to what you may read in the news- 
papers, is not going to open a floodgate of litigation. At best, you 
may see a trickle of cases from a few people who have a lot of 
money and want to pursue a privacy claim. 

On the distinction between personally identifiable information 
and sensitive personally identifiable information, I think the pri- 
vacy community would generally prefer the broader or the higher 
standard, which would be treat all information as being sensitive, 
but I do think the bill strikes a reasonable balance, and I think it 
strikes a common-sense balance that how we view medical informa- 
tion and financial information is not the same as how we view the 
lettuce we buy or the paper towels we buy in the grocery store, and 
maybe it is appropriate to make that distinction which the bill 
makes here. 

The one suggestion I would make in terms of where you might 
draw that line is to consider that issues related to political belief 
and intellectual freedom really should fall under the category of 
sensitive personal information. As the bill is currently drafted, you 
put religious belief as sensitive, personal information, and you put 
political party affiliation under that category, but a person’s polit- 
ical beliefs which may be reflected in their purchases online I think 
also should be entitled to similar protection. 

The approach to technologies for protecting personal policy is 
very good, and I think that could be expanded to consider a wide 
range of solutions that industry may develop and that consumers 
would favor. 

So in conclusion, Mr. Chairman and Members of the Committee, 
I think this is very important legislation. I think it is timely legis- 
lation. I think there are an awful lot of people in the United States 
that would feel more comfortable going online, using the Internet, 
making transactions and buying stuff, if they knew that there was 
some privacy protection in place to help safeguard them. 

[The prepared statement of Mr. Rotenberg follows:] 
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Prepared Statement of Marc Rotenberg, Executive Director, Electronic 
Privacy Information Center 

Mr. Chairman, Members of the Senate Commerce Committee, thank you for the 
opportunity to testify today on S. 2201, the Online Personal Privacy Act. My name 
is Marc Rotenberg. I am the Executive Director of the Electronic Privacy Informa- 
tion Center in Washington, DC. EPIC is a public interest research and advocacy or- 
ganization that focuses on emerging civil liberties issues. I am also the chairman 
of Privacy International, a human rights organization based in London. 

It is clear that the protection of privacy remains one of the top concerns in the 
United States today. Even with the dramatic events of the past year, Americans 
continue to make clear in opinion polls, news articles, and everyday conversation 
that one of the great challenges in our era of hi-tech convenience is to avoid the 
loss of personal privacy. 

Today we get sports scores online, read news stories, send messages to friends 
and colleagues, participate in discussions, buy books and CDs, shop for home loans, 
make travel plans, and purchase gifts for our relatives. All of this is made possible 
because of a new computer network technology that has linked together the inex- 
pensive desktop computers that we have in our homes. The benefits of the Internet 
are clear, but so too are the risks. 

In many respects, this ongoing support for the right of privacy is not surprising. 
Privacy protection has a long history in the United States. Many countries have 
simply not afforded their citizens the right to use telephones without eavesdropping, 
to hold credit reporting firms accountable for inaccurate disclosures that impact a 
consumer’s ability to participate in the marketplace, to find a job, to obtain health 
insurance, or to buy a home. 

New privacy laws have frequently been developed in response to the challenges 
of new technology. Congress enacted privacy laws for the telephone network, com- 
puter databases, cable television, videotape rentals, automated health records, elec- 
tronic mail, and polygraphs. In each case, it was never the intent to prohibit the 
technology or to prevent the growth of effective business models. Instead, the pur- 
pose was to establish public trust and confidence in the use of new technologies that 
had the ability to gather a great amount of personal information and, if used im- 
properly, to undermine the right of privacy. 

With the Internet, a piecemeal approach has been taken. A law was passed to pro- 
tect the privacy interests of minor children. The FTC exercised its section 5 author- 
ity for a limited number of privacy cases. Some US firms endorsed the Safe Harbor 
Arrangement, providing at least for their European customers, baseline privacy pro- 
tection. Many companies also attempted to address public concerns about online pri- 
vacy through the development of privacy policies, the hiring of privacy officials, and 
support for third-party accreditation services. Some progress has been made. But se- 
rious problems remain. 

• Companies post privacy policies, enter into relationships with consumers, collect 
personal information, and then decide to change their policies. 

• Companies create assurances of protection, run into financial troubles, seek pro- 
tection under bankruptcy law, and then sell their customers’ data to the highest 
bidder. 

• Companies post privacy policies that require the help of both an English major 
and a commercial lawyer to understand, and even then the policies are mis- 
leading and contradictory. 

• Companies acquire information from customers for one purpose and then turn 
around and sell it for another without the customer’s knowledge and consent. 

• And companies avoid the adoption of genuine Privacy Enhancing Technologies 
that could minimize privacy risk and promote the development of electronic 
commerce because there is no financial consequence to do otherwise. 

In each of these examples, there is no market-based solution. And all of this takes 
place in an environment where the data-collection practices are far more extensive 
than in the physical world. In theory consumers could bring suit for breach of con- 
tract, but privacy harms are difficult to measure, class action lawsuits have not had 
much success, and even the FTC has struggled to find a way to apply traditional 
consumer protection law to the new challenges of online privacy. 

The Online Personal Privacy Act seeks to establish trust and confidence in the 
disclosure of personal information in the online environment. This is central to the 
growth of electronic commerce and the online marketplace. The Act follows the ap- 
proach of virtually every modern privacy law in the United States. The Act sets out 
“Fair Information Practices” for the collection and use of personal information pro- 
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vided by users of the Internet to those who operate commercial web sites or provide 
Internet services or online services. 

As a general matter, the Online Privacy Protection Act contains the basic ele- 
ments of an effective privacy law. There are provisions for access and for enforce- 
ment. There are security obligations and notice requirements. There are opportuni- 
ties for enforcement. In many respects the Act also tracks the better practices fol- 
lowed by companies today as well as the Safe Harbor Arrangement that US firms 
have increasingly followed in their online commercial relations with customers in 
Europe and other countries. 

Law Enforcement Exception 

As with many privacy laws, the Act creates a presumption against the disclosure 
of personal information and then sets out limited circumstances when the informa- 
tion may properly be disclosed. For a privacy law to be effective, it is critical that 
these exceptions be carefully drafted and as narrow as possible. In my opinion, the 
exception for disclosure to law enforcement agencies (sec. 103(e)) is too broad. In 
fact, I could not find another privacy law that would make it so easy for so many 
public officials to get access to personal information that would be otherwise pro- 
tected in law. 

The problem is the list of entities — “law enforcement, investigatory, national secu- 
rity, regulatory agency, or Department of United States” — coupled with the phrase 
“in response to a request or demand made under authority granted to that agency 
or department.” That formulation essentially defeats the Fourth Amendment pur- 
pose of ensuring that the judiciary plays a role where a lawful search is authorized. 
I urge you to stay with the standard in other privacy laws that grants authority 
to a “law enforcement agency” acting on a federal or state warrant, a court order, 
or a properly executed administrative order. This provides the government with a 
wide range of opportunity to obtain information in the course of a criminal inves- 
tigation in a manner that ensures judicial oversight and minimizes the risk of 
abuse. 

Access Provision 

The access provision (sec. 105) follows a principle widely recognized in US privacy 
law and that is the ability of person to see the records held by others. Consumers 
receive access to credit reports, to medical records, and to cable billing information. 
Under the Privacy Act they are also able to obtain records of information about 
them held by federal agencies. But the provision in the Online Personal Privacy Act 
is narrower than it should be. Consumers generally know what information they 
have provided to companies. What they do not know is what information the com- 
pany is providing about them to others. The access provisions should allow con- 
sumers to be aware of disclosures to third parties. 

Also, the bill rightly ensures that copies of this information will be available at 
a reasonable fee and that the fee is waived in those cases where the consumer may 
not be able to pay or where there is fraud. A provision should also be included to 
provide free access in those cases where the provider or operator receives payment 
or consideration from a third party for the disclosure of the user’s information. This 
is a principle of fairness and equity that will make companies more respectful of 
the privacy interests of their customers. 

Enforcement 

Mr. Chairman, the section on enforcement raises several difficult problems. It 
rightly seeks to provide several ways to ensure actual implementation of the prac- 
tices set out in Title I, but it is not clear whether these provisions individually, or 
taken together, provide an adequate means of protection. 

It is likely that the primary means of enforcement will be through the Federal 
Trade Commission since any violation of the Act will be considered a violation of 
Section 5 of the FTC Act. However, the FTC Act does not provide any actual relief 
to affected parties. The FTC will have the authority to enter into a consent decree 
to prevent the company from engaging in similar acts in the future. 

The State Attorneys General retain significant authority to pursue actors that vio- 
late Title I but the FTC retains the ability to prevent these matters from going for- 
ward. Considering that the bill also preempts the authority of states to enact strong- 
er measures to safeguard the interests of their citizens, this provision represents a 
significant transfer of authority from the states to Washington, DC. 

Structurally, the Act places a great deal of faith on the ability of the FTC to pur- 
sue privacy violations. I believe that this can be made to work but it will require 
extensive public oversight. The critical role of the FTC becomes even clearer when 
you consider the private right of action created by section 203. Some of the industry 
lobbyists have claimed that this bill will open a floodgate of litigation. But a fair 
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reading of the Act reveals that it will be remarkable if there is more than a trickle 
of cases. 

Section 203 is drafted in such a way as to pile high all the hurdles of litigation 
without any of the benefits. Litigants will be required to establish “actual harm” 
which is difficult in privacy cases, and the reason that federal law typically provides 
for liquidated damages. They will be required to go into federal district court when 
violations have occurred but there will be no payment for a lawyer or costs incurred 
and very limited opportunity for damages if they prevail. It is hard to imagine who 
but the most affluent would be able to pursue such a case. 

The private right of action provision in this bill is far narrower than any other 
privacy law with which I am familiar. Typically, a federal privacy law allows a per- 
son to recover actual damages not less than a set amount of at least $2,500, puni- 
tive damages, reasonable attorney fees and litigation costs, and such other relief as 
a court may determine. And even with these incentives, privacy cases are infrequent 
and damages, when they are awarded, are nominal. It takes an extremely deter- 
mined plaintiff to pursue these cases. 

At the very least, the Committee should either allow individual consumers to go 
into small claims court to seek relief for violations of the Act, as they are able to 
do currently under the Telephone Consumer Protection Act, or if they must go into 
federal court, the Act should provide for reasonable attorneys fees, costs, and such 
other relief as a court may provide. Even with this change, proving actual harm in 
a privacy case will remain very difficult. 

Application to Congress and Federal Agencies 

Mr. Chairman, I am pleased to see that Title III of the Act extends baseline pri- 
vacy standards to federal agencies and to the United States Congress. This sends 
a clear message that Internet privacy protection should apply to both the public and 
private sector. Title III should also be made clear that nothing in this Act will alter 
the obligations set out in the Privacy Act of 1974, which applies to all federal agen- 
cies that collect personal information on US citizens whether or not they are pro- 
viders or operators under the definitions of the Act. 

But here again I must point out that, unless the law enforcement access provision 
in Section 103 is narrowed, any federal agency could defeat the purpose of this On- 
line Personal Privacy Act simply by granting itself the authority to routinely engage 
in actions that would otherwise violate the provisions set out in Title I. It simply 
does not make sense to pass a privacy law that seeks to impose privacy obligations 
on a federal agency and then leaves the agency with the authority, if it so chooses, 
to remove the obligations. 

Definition of Sensitive Personally Identifiable Information 

The Act makes an important distinction between Personally Identifiable Informa- 
tion (PII) and Sensitive Personally Identifiable Information (SPII). The first is gen- 
erally subject to the opt-out approach, while the second would require opt-in. While 
many privacy experts, including me, have favored the opt-in rule for all transfers 
of personal information, I believe the approach set out in the bill can be made to 
work. It reflects a general recognition that there is a distinction between medical 
and financial information on the one hand and the type of paper towel or lettuce 
we buy on the other. It also follows an approach that is increasingly found in Eu- 
rope and other regions of the world to make clear that a stronger privacy standard 
should apply to more sensitive personal information. The definition of Sensitive Per- 
sonally Identifiable Information set out in the Act reflect both a commonsense un- 
derstanding and the practice that is currently evolving. 

The one additional subject area that I hope you will consider adding to the cat- 
egory of Sensitive Personally Identifiable Information is for matters of intellectual 
freedom and political belief. The United States in particular has a long tradition of 
seeking to safeguard the records of the books that people borrow in libraries, the 
video tapes they rent, and the cable programs they watch. In a recent case, a state 
Supreme Court made clear the high level of privacy associated with records of book- 
store customers. 

With the Internet in particular, there is a significant risk that a very detailed pic- 
ture of a person’s political beliefs could be easily compiled and distributed with little 
regard for the right of privacy. I believe that if this were done by government actors 
it would implicate deeply held First Amendment values and should not be per- 
mitted. 

Privacy Enhancing Technologies 

Efforts to develop tools that will enhance online privacy and could diminish the 
need for further legislation should certainly be encouraged. The bill proposes P3P 
as one possible approach. I believe a better research program would focus on gen- 
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uine Privacy Enhancing Techniques that enable online transactions and commerce, 
and minimize the risk of privacy loss. Such approaches include techniques for “au- 
thentication without identification,” which means simply that consumers could en- 
gage in verifiable transactions with online merchants without disclosing their actual 
identities much as they do today in the physical world with cash and credit cards. 
Other research topics might include techniques for enabling online access that do 
not create additional security risks, developing methods for consumers to more read- 
ily track the subsequent disclosure of their personal information, and ensuring by 
technical measures that individuals will maintain greater control over the personal 
information they provide to others. 

It is clear that a wide range of approaches will be necessary to safeguard online 
privacy. Technology has a critical role to play. But the privacy technologies must 
be designed with the central goal of protecting privacy. 

Conclusion 

In conclusion, Mr. Chairman and Members of the Committee, the Online Personal 
Privacy Act is an important step forward in the advancement of privacy law in the 
United States. It responds to overwhelming public support for stronger privacy pro- 
tection on the Internet. It seeks to ensure that the right of privacy will carry for- 
ward as new commercial opportunities are developed and new technologies emerge. 
I hope the Committee will take the steps necessary to strengthen the provisions in 
the bill so as to ensure that the intent of the sponsors is realized in practice. 

Thank you again for the opportunity to appear before the Committee today. I 
would be pleased to answer your questions. 

The Chairman. Thank you very much. Mr. Misener. 

STATEMENT OF PAUL MISENER, VICE PRESIDENT OF 
GLOBAL PUBLIC POLICY, AMAZON.COM 

Mr. Misener. Good morning, Chairman Hollings, Senator 
McCain, Members of the Committee. My name is Paul Misener. I 
am Amazon.com’s vice president for global public policy. Thank you 
for inviting me to testify today on S. 2201. We greatly appreciate 
the time and energy you and your staff have committed to con- 
sumer information privacy issues, as well as your continuing will- 
ingness to hear Amazon.com’s perspectives. 

Mr. Chairman, Amazon.com is the Internet’s No. 1 retailer, with 
well over 35 million customers. We have as much experience and 
as much at stake as any entity on these issues. Although Ama- 
zon.com has serious concerns about several aspects of this bill, we 
look forward on behalf of our customers and company to working 
with you and your Committee to address all of these issues. 

Mr. Chairman, Amazon.com is pro-privacy. The privacy of per- 
sonal information is important to our customers and, thus, is im- 
portant to us. Therefore, Mr. Chairman, we share your goal of pro- 
viding consumers the personal privacy protections they want, and 
we already provide, with one understandable exception, the sub- 
stantive protections that a reasonable interpretation of your bill 
would require. 

Indeed, at Amazon.com we manifest our commitment to privacy 
by providing our customers notice, choice, including opt-in choice 
where appropriate, access and security. So why do we do so? Well, 
the reason is simple. Privacy is important to our customers, and 
therefore important to Amazon.com. We simply are responding to 
market forces. 

Amazon.com believes S. 2201’s most serious shortcoming is that, 
as drafted, it would not apply equally to online and offline activity. 
In our view, it makes little sense to treat consumer information col- 
lected online differently from the same consumer information col- 
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lected through offline media such as point-of-sale purchase track- 
ing, warranty registration cards, and magazine subscriptions. 

Offline privacy practices differ from online practices in only three 
relevant respects, and in two of these respects consumers get more 
privacy protection online than offline. In any case, these differences 
are not addressed in this bill. Rather, virtually identical practices 
would be treated differently. 

Moreover, online transactions account for only a tiny percentage, 
as Senator Burns pointed out, just 1 percent of all consumer trans- 
actions, and people on the unfortunate side of the digital divide, 
generally those with less money and education, would receive no 
protections from an online-only law. 

This is not to suggest that an online-only approach never was 
credible. To the contrary, based on what little was known publicly 
about both online and offline privacy practices as recently as 2 
years ago, one easily could have concluded at the time that online 
privacy issues deserved discriminatory treatment, especially in 
order to avoid a potential privacy disaster, but now we know there 
is little justification for discriminating against online. 

Mr. Chairman, Amazon.com gratefully acknowledges that S. 
2201 contains two important provisions that would be good for our 
customers, company, and industry. First, it would confirm our be- 
lieve that the privacy promises a company makes to consumers 
must still apply to the private information consumers provide to 
that company even after ownership of the company or information 
changes. 

Second, it intends to preempt inconsistent or additional State 
laws. It would be difficult or impossible for nation-wide entities to 
comply with as many as 50 conflicting laws, and it would be unfair, 
if not also unconstitutional, to permit the citizens of one State to 
make the privacy decisions for citizens of another. 

Mr. Chairman, we also have identified the following areas of seri- 
ous concern in S. 2201. Amazon.com will focus its cooperative, con- 
structive efforts on these issues as well as on the online-offline par- 
ity point, in an effort to provide you and your commitment as much 
information as possible. 

We are very concerned that section 203, on private rights of ac- 
tion, would give overly aggressive litigants a new tool to extract 
rents from, quote, good-guy companies with relatively deep pockets. 
It is clear from the recent privacy sweeps that the most popular 
and, thus, the most successful web sites already are providing out- 
standing privacy protections. Unfortunately, however, it will be 
these, quote, good guys that litigants attack, because these are the 
entities capable of paying big judgments. Indeed, under the current 
bill it would be far more lucrative to bring a class action suit to 
catch a good guy on a technicality than catch a bad guy in an egre- 
gious act. 

And the threat is astounding. A company could be hit with a 
judgment of $5,000 per user per violation with a showing of but 
minimal actual harm and no showing of malfeasance. Because class 
actions are not precluded, there probably would be a class action 
alleged for every potential violation, and for a company like ours, 
with 35 million customers, the implications are staggering. 
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And worse for consumers, allowing such private rights of action 
would cause the good guys to make their privacy notices much 
more legalistic and much less readable just so that they would fare 
better in a lawsuit. We believe a regulatory body such as FTC, on 
the other hand, could balance the competing interests of legal pre- 
cision against simplicity. 

Another key concern for us are the access and deletion require- 
ments in section 105. This section seems to require data deletion 
on demand, which would be extraordinarily expensive and would 
dramatically hinder our efforts to thwart fraud and consumer iden- 
tity theft. Indeed, this provision would likely end up making con- 
sumer identity theft easier by making criminal activity much hard- 
er to trace. 

Further, the quote, reasonable security requirements of section 
106 are cause for great concern, especially among Amazon.com’s 
engineers. Companies have every possible motivation, including ex- 
tant tort law, to maintain effective security against hackers. None- 
theless, if there is a security breach, it may be very difficult for a 
company to argue that, quote, reasonable precautions were taken. 
With little precedent for guidance, the fact of a breach would make 
any failed security precautions look unreasonable. In other words, 
without clarifying language, the security reasonableness standard 
likely would function as a strict liability standard. 

Last, we are very concerned about the vague and sometimes in- 
correct definitions listed in section 401. What for example is, “ro- 
bust notice” on a web-enabled cell phone or other small-screen de- 
vice such as a remote terminal on the kitchen wall, or on the auto- 
mobile dashboard? 

Mr. Chairman, in conclusion, Amazon.com is pro-privacy in re- 
sponse to consumer demand and competition. We already provide 
our customers notice, choice, access, and security. You have called 
for these same features in S. 2201, and although we have many 
concerns with this bill, we appreciate that you recognize, as we do, 
the importance of consumer privacy. 

Our foremost concern with S. 2201 is that it would apply only to 
some companies and only to 1 percent of consumer transactions. 
Amazon.com respectfully requests that any privacy legislation that 
moves forward out of this Committee apply to all transactions, not 
merely those conducted online. Although Amazon.com welcomes 
two key components of this bill, we also have serious concerns with 
several other specific provisions. We look forward to working with 
you and your Committee to address these issues. 

Thank you again for inviting me to testify. I welcome your ques- 
tions. 

[The prepared statement of Mr. Misener follows:] 

Prepared Statement of Paul Misener, Vice President, Global Public Policy, 

Amazon.com 

Chairman Hollings, Senator McCain, and Members of the Committee, my name 
is Paul Misener. I am Amazon.com’s Vice President for Global Public Policy. Thank 
you for inviting me to testify today on S. 2201, The Online Personal Privacy Act. 

Although, as I will describe throughout this testimony, Amazon.com has serious 
concerns about several aspects of this bill, we greatly appreciate the time and en- 
ergy you and your staff have committed to consumer information privacy issues, as 
well as your continuing willingness to hear Amazon.com’s perspectives. 
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Amazon.com also gratefully acknowledges that S. 2201 contains two important 
provisions that we could support. First, this bill would confirm our belief that the 
privacy promises a company makes to consumers must still apply to the private in- 
formation consumers provide to that company, even after ownership of the company 
or information changes. Second, S. 2201 intends to preempt inconsistent or addi- 
tional state laws. It would be difficult or impossible for nationwide websites to com- 
ply with as many as fifty conflicting laws, and it would be unfair (if not also uncon- 
stitutional) to permit the citizens of one state to make the privacy decisions for the 
citizens of another. Both of these provisions in S. 2201 are welcome and would be 
good for our customers, company, and industry. 

As for our concerns, Mr. Chairman, Amazon.com is the Internet’s number one re- 
tailer and, therefore, has as much experience (and as much at stake) as any other 
entity on these issues. On behalf of our customers and company, we look forward 
to working with you and your Committee to address the concerns we raise in this 
testimony. I hope that you will welcome our perspectives in the constructive and co- 
operative spirit in which they are offered. 

Privacy at Amazon.com 

Mr. Chairman, Amazon.com is pro-privacy. The privacy of personal information is 
important to our customers and, thus, is important to us. Indeed, as Amazon.com 
strives to be Earth’s most customer-centric company, we must provide our customers 
the very best shopping experience, which is a combination of convenience, personal- 
ization, privacy, selection, savings, and other features. 

Therefore, Mr. Chairman, Amazon.com shares your goal of providing consumers 
the personal privacy protections they want, and we already provide most of the sub- 
stantive protections that a reasonable interpretation of your bill would require. At 
Amazon.com, we manifest our commitment to privacy by providing our customers 
notice, choice, access, and security. Before I describe these four facets of privacy pro- 
tection at Amazon.com, please allow me to explain how we use customer informa- 
tion. 

Personalization at Amazon.com 

In general, Amazon.com uses personally identifiable customer information to per- 
sonalize the shopping experience at our store. Rather than present an identical 
storefront to all visitors, our longstanding objective is to provide a unique store to 
every one of our customers, now totaling well over 35 million people. In this way, 
our customers may readily find items they seek, and discover other items of inter- 
est. If, for example, you buy a Stephen King novel from us, we likely will rec- 
ommend other thrillers the next time you visit the site. 

Amazon.com now inserts, among the now-familiar “tabs” atop our Web pages, a 
special tab with the customer’s name on it. When I visited Amazon.com’s site last 
week, for example, the tabs included Books, Electronics, DVDs, and “Paul’s Store.” 
By clicking on the “Paul’s Store” tab, Amazon.com introduced me to six smaller 
stores, including one named, “Your Kitchen and Housewares Store,” which featured 
a Calphalon Commercial Nonstick Collector’s Edition 10-Inch International Griddle/ 
Crepe Pan, which I promptly bought. 

It was no coincidence, of course, that Amazon.com recommended this crepe pan 
to me, and that I liked it: using so-called “collaborative filtering” techniques, which 
compare my past purchases (many of which are cookware items) to anonymous sta- 
tistics on thousands of other Amazon.com purchases, Amazon.com computers auto- 
matically — and correctly — predicted that I would want that crepe pan. 

Similar personalization is provided in the traditional Amazon.com recommenda- 
tions on the home page, in purchase follow-up recommendations, in the “New for 
You” feature, and in some varieties of email communications. Customers can im- 
prove the quality of these recommendations in several ways, including by deleting 
individual Amazon.com purchases from consideration, and hy rating the products 
they buy at Amazon.com or elsewhere. For example, last year I bought my niece a 
few CDs from the singer Britney Spears but, because I do not want similar music 
recommended to me, I have deleted these CDs from the list of items Amazon.com 
uses to produce my recommendations. In addition, on Amazon.com’s site, I can rate 
a CD that I might have purchased at Wal-Mart, in order to improve the quality of 
Amazon.com’s music recommendations to me. 

Obviously, Amazon.com’s personalization features directly benefit our customers. 
And, just as obviously, these features require the collection and use of personally 
identifiable customer information. The question, then, is how do we protect the pri- 
vacy of this information? 
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Privacy Practices at Amazon.com 

As I indicated earlier, Amazon.com manifests its privacy commitment by pro- 
viding notice, choice, access, and security. 

Notice. Amazon.com was one of the first online retailers to post a clear and con- 
spicuous privacy notice. And in the summer of 2000, we proudly unveiled our up- 
dated and enhanced privacy policy by taking the unusual step of sending email no- 
tices to all of our customers, then totaling over 20 million people. 

Choice. We also provide our customers meaningful privacy choices. In some in- 
stances, we provide opt -out choice, and in other instances, we provide opt-m choice. 
For example, Amazon.com will share a customer’s information with a wireless serv- 
ice provider only after that customer makes an opt-i/i choice. We simply are not in 
the business of selling customer information and, thus, beyond the very narrow cir- 
cumstances enumerated in our privacy notice, there is no information disclosure 
without consent. 

Access. We are an industry leader in providing our customers access to the infor- 
mation we have about them. They may easily view and correct as appropriate their 
contact information, payment methods, and purchase history. And, with a feature 
called “The Page You Made,” customers even can see part of the “click-stream” 
record of products they view while browsing Amazon.com’s online store. 

Security. Finally, Amazon.com vigilantly protects the security of our customers’ 
information. Not only have we spent tens of millions of dollars on security infra- 
structure, we continually work with law enforcement agencies and industry to share 
security techniques and develop best practices. 

It is very important to note that, other than an obligation to live up to pledges 
made in our privacy notice, there is no legal requirement for Amazon.com to provide 
our customers the privacy protections that we do. 

Market Forces at Work 

So why do we provide notice, choice, access, and security? The reason is simple: 
privacy is important to our customers, and thus it is important to Amazon.com. We 
simply are responding to market forces. 

Indeed, if we don’t make our customers comfortable shopping online, they will 
shop at established brick and mortar retailers, who are our biggest competition. 
Moreover, online — where it is virtually effortless for consumers to choose among 
thousands of competitors — the market provides all the discipline necessary. Our cus- 
tomers will shop at other online stores if we fail to provide the privacy protections 
they demand. 

These market realities lead Amazon.com to eschew the term “industry self-regula- 
tion.” We believe this concept — which often is touted as a substitute for legislation 
and government regulation — suggests that companies must act altruistically in 
order to provide consumers the protections they deserve. But this suggestion simply 
is not true. Companies must provide the privacy protections consumers demand or 
be forced out of business. Nowhere is this more true than among website-based re- 
tailers: a consumer can easily choose among hundreds of retailers without leaving 
her home. Contrast that with brick and mortar retail, which presents consumers 
with only a very small number of store choices within a reasonable driving distance. 

Moreover, as Amazon.com has consistently stated, and last year testified before 
this Committee, these market realities also lead us to conclude that there is no in- 
herent need for privacy legislation, at least for typical website-based business-to- 
consumer commerce. The Federal Trade Commission’s annual privacy sweeps (this 
year conducted by the Progress and Freedom Foundation at the behest of the Com- 
mission) confirm that those companies with high levels of privacy protections are 
the ones that succeed in this robust market. There simply is no market failure for 
legislators to address; indeed, as just noted, the “online” retail market is inherently 
more competitive than that of traditional “offline” retail. Put another way, if there 
is a market failure, it is with o/fline, not online consumer transactions. 

Notwithstanding these points on the inherent need for legislation, Mr. Chairman, 
Amazon.com wants to work cooperatively and constructively with you and your 
Committee on this issue. For S. 2201, we have one general concern, and several spe- 
cific concerns, which I will describe momentarily. Let me again say, however, that 
we greatly appreciate the work you and your staff have put into this bill. 

Fairness Among Transactions and Consumers 

Before addressing specific provisions of S. 2201, please allow me to comment on 
what Amazon.com believes to be the bill’s most serious shortcoming: As drafted, S. 
2201 would require companies to provide various privacy protections, but only for 
a tiny fraction of consumer transactions. And, S. 2201 would not require companies 
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to provide any protections for tens of millions of American consumers with relatively 
low incomes and limited educational backgrounds. 

As I previously have testified before this Committee, Amazon.com believes that 
privacy legislation must apply equally to online and offline activities, including the 
activities of our offline retail competitors. It makes little sense to treat consumer 
information collected online differently from the same (or often far more sensitive) 
consumer information collected through other media, such as offline credit card 
transactions, mail-in warranty registration cards, point-of-sale purchase tracking, 
and magazine subscriptions. 

Offline Privacy Practices. For example, the offline consumer information collection 
practices of brick and mortar retailers are described on the website ( http :/ / 
www.epic.org / privacy / profiling /) of the Electronic Privacy Information Center 
(EPIC): 

“Many supermarkets are offering membership cards that grant discounts to con- 
sumers. What often goes unmentioned is that these club cards enable the store 
to create detailed profiles of individuals’ consumption habits. These profiles are 
linked to individually-identifiable information, often with the requirement at 
enrollment that the consumer show state-issued identification. Since many su- 
permarkets sell more than just food (alcohol, cigarettes, pharmaceuticals, etc.), 
the companies can collect volumes of information about individuals’ habits.” 

“The danger in this profiling is increased by the fact that supermarkets are not 
limited by law in sharing the information they collect. A supermarket can sell 
the information to a health insurance company or to other aggregators in order 
to make a more complete profile on an individual.” 

“The risks of profiling based on consumption are often derided by supermarket 
profilers. They may say that ‘no one cares if you like asparagus more than broc- 
coli.’ But, that’s not the issue. Individuals have different definitions of sensitive 
information. And the profilers aren’t interested in whether you’re buying one 
vegetable over another. They are more likely to want to know whether an indi- 
vidual is buying baby diapers or adult diapers.” 

My wife and I know about these offline privacy practices firsthand. Our son is 
nearly five months old. Last month, after buying many packages of baby diapers 
from Giant Food, where we have a “loyalty card,” we received a Giant Food “baby 
brochure,” which essentially is an advertising packet. Clearly, this baby brochure so- 
licitation from Giant came merely as a result of purchasing baby products from 
Giant stores: Giant’s computers compiled information about our buying habits and 
decided to start sending us baby literature. 

To be clear, I don’t mind receiving such solicitations nor, I believe, do most Ameri- 
cans. It makes more sense for me to receive baby product ads than the brochures 
I often receive on lawn care services in spite of the fact that I live in a townhouse. 
I just mind that S. 2201 would ignore such offline practices, yet regulate the exact 
same personalization services provided by online entities such as Amazon.com. 

Warranty registration cards, as EPIC also points out on its website, are yet an- 
other way offline entities collect, enter into electronic databases, and sell personally 
identifiable information that often is entirely unrelated to the subject of the war- 
ranty. Several weeks ago, my wife and I needed to buy a new clothes washer and 
dryer. The warranty registration cards for these large and potentially dangerous ap- 
pliances had labels telling us to complete and return the cards in the interest of 
safety. But, for some reason, they also needed to know our household income and 
our reading habits! Consumers are essentially asked to either provide private infor- 
mation or be unsafe. Similarly, an earlier purchase of a small, but potentially dan- 
gerous, space heater included a warranty registration card (again emphasizing the 
safety aspects of registration) that asked for my household income, where my family 
took our last vacation, whether we read the Bible, and whether anyone in the 
household has prostate problems. Because the private information sought from con- 
sumers is clearly unrelated to the product subject to the warranty, and probably un- 
related to other products sold by the manufacturers of my washer/dryer and space 
heater, it is obvious that, under the guise of safety, highly private consumer infor- 
mation is being collected and sold. 

Obviously, these offline privacy practices are no less deserving — and often far 
more deserving — of Congress’ attention than online practices. Amazon.com firmly 
believes that, in fairness to consumers (if not also companies), online and offline pri- 
vacy practices must be treated equally. 

The former and current chairs of the Federal Trade Commission have supported 
this view. In testimony before this Committee nearly two years ago, on May 25, 
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2000, then-Chairman Robert Pitofsky, in a colloquy with Senator Kerry, testified 
that, 

“[I] have increasingly come to the view that the theory of distinguishing online 
from offline is really rather weak. I was recently influenced by one of our advi- 
sory panel people who said, “What is the point of treating warranty information 
from when a consumer files a warranty card, that is just going to be read into 
an electronic format by some clerk — Why would you treat that information dif- 
ferently from another?” I found that a very powerful argument. I am also influ- 
enced by the fact that we hear through mergers, joint ventures, and otherwise, 
that online and offline companies are merging their databases. And that’s an- 
other reason we should think about both.” 

Current FTC Chairman Timothy Muris, in testimony before the Senate Appro- 
priations Committee on March 19, 2002, said that, 

“Consumers are deeply concerned about the privacy of their personal informa- 
tion, both online and offline. Although privacy concerns have been heightened 
by the rapid development of the Internet, they are by no means limited to the 
cyberworld. Consumers can be harmed as much by the thief who steals credit 
card information from a mailbox or dumpster as by the one who steals that in- 
formation from a Web site.” 

And, last October, in a speech to the Privacy 2001 Conference, Chairman Muris 
specifically addressed the scope of privacy legislation, saying, 

“I am concerned about limiting legislation to online practices. Whatever the po- 
tential of the Internet, most observers recognize that information collection 
today is more widespread offline than online. Legislation limited to online prac- 
tices perhaps seemed attractive when Internet commerce was expanding almost 
limitlessly. Today, however, it is increasingly difficult to see why one avenue 
of commerce should be subject to different rules than another, simply based on 
the medium in which it is delivered.” 

Mr. Chairman, parity is necessary in fairness to online companies. It simply 
would not be equitable to saddle online retailers with requirements that our brick 
and mortar (or mail or telephone order) competitors do not face, nor would it be fair 
to mislead consumers by telling them their privacy would be substantially protected 
by an online-only bill when, in fact, only a tiny fraction of their transactions would 
be addressed. 

Online-Offline Differences. Some people contend, however, that online activities 
deserve discriminatory treatment under the law because of some inherent dif- 
ferences between online and offline business-to-consumer relations. As described 
above, there are many obvious similarities. I acknowledge, however, that there are 
three relevant differences between online and offline. Although one of these dif- 
ferences could lead to online consumers having relatively less privacy, the other two 
differences actually give online consumers more privacy protection than offline con- 
sumers. 

The one difference that potentially gives online consumers less privacy protection 
is the availability of so-called “click-stream” information, by which a website oper- 
ator can observe, for example, what individual visitors see while visiting a website. 
In the retail context, this means web-based retailers can tell what a customer looks 
at, not just what he buys. 

Amazon.com has turned this technical capability into customer-friendly features 
by which we better personalize our customers’ shopping experience. We do this in 
two principal ways: First, we automatically display items that take into account a 
customer’s recent shopping. If a customer has been looking at cameras, for example, 
the site may automatically display for her a camera tripod. Second, in our “The 
Page You Made” feature, we display, on the side of the screen, links back to some 
of the items the customer has looked at. Thus, instead of scrolling back through the 
site (the online equivalent of walking back to the other side of the store), we provide 
a simple way for a customer to get back to the items she earlier examined. Again, 
these features rely on the use of “click-stream” information. 

But even this ability to see what is shopped but not bought is not entirely unique 
to online entities. Professor Clarke L. Caywood, in his top-selling marketing and PR 
textbook, The Handbook of Strategic Public Relations & Integrated Communications 
(McGraw-Hill, 1997), describes the same practice in the brick and mortar world: 

“Marketers at Wal-Mart, a large discount retail chain, for example, spend sev- 
eral days each week in their own stores (and those of the competition) watching 
consumers shop, questioning them about their purchases, and asking them for 
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feedback. At the end of each week, they return to their headquarters office and, 
in conjunction with their colleagues who have also spent time in stores in other 
locales, they discuss what’s on the consumer’s mind, what trends they need to 
watch, and what problems they need to correct. Armed with that information, 
they can tailor all manner of programs to the immediate needs of customers in 
a very specific local area.” 

Importantly, even if Congress considers the “click-stream” difference between on- 
line and offline to be crucial enough to warrant discriminatory treatment under the 
law, no federal bill introduced to date, not even S. 2201, is based upon this par- 
ticular difference. Rather, S. 2201 and previous online-only bills would apply dis- 
criminatory legal treatment to activities that, for all practical purposes, are identical 
online and offline. 

And, if differences between online and offline activities are the key, online trans- 
actions, in two important respects, actually protect consumer privacy better than off- 
line transactions. One respect is physical characteristics. Those Wal-Mart employees 
said to follow consumers around stores — and, indeed, any employee of a brick and 
mortar store, watching from the floor or hidden cameras overhead — can see physical 
personal characteristics unknown to online retailers. Wal-Mart knows your sex and 
race; if you are pregnant; how well you dress; and if you have acne. 

They also know where you are. Indeed, when one of Amazon.com’s customers vis- 
its our store, we cannot know their location. They may be at home, at the office, 
with their laptop computer at the airport, on the beach with their wireless PDA, 
or at an “Internet Cafe” in Paris. We simply don’t know. But, when I use my Mobil 
credit card, Exxon-Mobil knows exactly where I am, and can track my movements. 
My physical location at any given time is, I would think, highly sensitive informa- 
tion. And, yet, by my reading of Mobil’s privacy policy, Exxon-Mobil would not even 
allow me to opt -out of Mobil using that information internally or sharing it with 
Mobil’s “joint marketing partners.” S. 2201 would do nothing to change such offline 
situations, but would require online retailers to obtain (as Amazon.com already 
does) opt-m approval before transferring sensitive information. Again, if there’s a 
privacy problem somewhere, it’s offline. 

And, for those who point out that offline consumers can always wear dark sun- 
glasses or pay cash in order to remain anonymous, I note that online consumers 
have many, much easier ways to remain anonymous. They may easily set their web 
browser to block cookies or may use anonymizing software tools provided by compa- 
nies such as Zero-Knowledge Systems. Amazon.com’s privacy notice describes how 
to block cookies and provides link to Zero-Knowledge and other anonymizer compa- 
nies. 

Amazon.com Compliance with a Privacy Bill. At last summer’s House Commerce 
Committee hearing on privacy, one Committee member kindly noted that the com- 
panies represented, including Amazon.com, are “the good guys.” The implication was 
that the “bad guys” should be the target of privacy legislation, and that we “good 
guys” need not fear a reasonable law. 

In one sense, this Representative was exactly right. Amazon.com does not fear the 
direct effects of reasonable privacy legislation because, unlike the vast majority of 
our competition in the brick and mortar world, we already provide notice, meaning- 
ful choice, access, and security. Indeed, if truly reasonably interpreted, almost all 
of the substantive requirements of S. 2201 likely would have little direct effect on 
Amazon.com and its customers. (The most notable exception would be the bill’s ex- 
traordinarily burdensome access/deletion requirement.) We already are providing 
the privacy protections at the heart of this bill, including excellent access by cus- 
tomers to their own private information, simply because that is what our customers 
want. 

Offline Compliance with a Privacy Bill. However, in addition to a grave fear of 
being unfairly exposed to a spate of highly unreasonable lawsuits (which I will dis- 
cuss in a moment), we fear any law that implicitly allows our offline competitors 
free rein to continue to be privacy “bad guys,” unbeknownst to consumers. Indeed, 
although we are confident that, if consumers really knew what was happening to 
their private information in the offline world, instead of being mislead to believe 
that their privacy is more at risk online, they actually would flock to do business 
with online “good guys” like Amazon.com. But, with the considerable media hype 
and misinformation surrounding online privacy issues, and the relative dearth of 
revelations about offline consumer information privacy practices, we believe it would 
be very unfair to let our competitors surreptitiously collect, use, or transfer con- 
sumers’ private information. 

Consumers Online and Offline. But most importantly, it would be fundamentally 
misleading to American consumers to enact a law that applies only to online entities 
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because, for the foreseeable future, the putative protections of such a law would 
apply to just a tiny fraction of consumer transactions. Last year, online sales ac- 
counted for only one percent of all retail trade in the United States. Obviously, any 
law that addresses only online transactions could not benefit consumers much at all 
compared to one that equally addresses online and offline activities. Moreover, a law 
that addresses only online activities would have the perverse effect of failing to pro- 
vide any benefits to those on the less fortunate side of the digital divide. Indeed, 
consumers who, because of economic situation, education, or other factors, are not 
online would receive no benefits from an online-only law. 

Prior Online-Only Approaches. This is not to suggest that an online-only approach 
never was credible. To the contrary, based on what little was known publicly about 
both online and offline privacy practices as recently as two years ago, one reason- 
ably could have concluded at the time that online privacy issues deserve discrimina- 
tory treatment, especially in order to avoid a potential “privacy disaster.” 

No disaster has occurred, and we believe that facts gathered by this Committee 
and other bodies reveal that an online privacy disaster is no more likely than an 
offline privacy disaster. In addition, consumers now better understand that com- 
puters are used to record both online and offline transactions. The huge, searchable, 
and transferable computer databases kept by offline companies are just as much at 
risk as the information collections of online entities. In any case, the bills introduced 
to date would do little or nothing to forestall privacy disasters, either online or off- 
line. 

Moreover, as elaborated throughout this testimony, discussions over the past few 
years have shown that there are few meaningful differences between online and off- 
line privacy practices, and that some of these differences actually serve to protect 
consumer privacy better online. And, finally, as documented in the annual online 
privacy sweeps conducted by the FTC, et al., starting in 1998, it is clear that online 
entities have made extraordinary strides to enhance their privacy practices over the 
past four years. Offline privacy practices certainly have not improved at anywhere 
near this pace, if at all, over the same period. 

In sum, Mr. Chairman, although currently-available facts demonstrate that online 
practices do not deserve discriminatory treatment, there were good reasons why 
many people believed only a few years ago that such discrimination was warranted. 

Privacy Bill Benefits to Industry. Even if this law would do little or nothing to 
benefit the vast majority of consumer transactions, it has been suggested, such as 
in S. 2201’s Findings, that an online privacy bill would be good for online companies 
because the consumer trust it would spawn would lead to additional sales. This be- 
lief implies that the online industry, which has not sought a bill, either does not 
know what is best for itself or has a hidden agenda. Speaking for Amazon.com, I 
can say unequivocally that our agenda since our founding in the mid-1990s, has 
been to provide our customers the very best shopping experience. We believe, with 
good reason, that if S. 2201 were enacted, it would dramatically interfere with our 
ability to serve our customers. Indeed, S. 2201 has been reviewed by key personnel 
throughout our company and has provoked expressions of grave concern, particu- 
larly in the engineering department. These “can-do” engineers and programmers, 
who have built up our computer system all the way from our CEO’s garage to the 
Fortune 500 in just seven years, seriously question whether we possibly could com- 
ply with the technical requirements of this bill. And, even if somehow they could 
make our systems comply, our engineers fear that many of the bill’s provisions 
would seriously jeopardize our systems’ security and anti-fraud efforts. 

Questionable Industry Support for an Online-only Bill. It is often said that, even 
if not a majority, at least some in “industry” support an online-only legislative ap- 
proach. The relevant question is, which industry? The principal proponents of an on- 
line-only law do very little business online with consumers. One of the companies, 
a hardware manufacturer, does but a fraction of its business online, while its big- 
gest competitor does 100% of its business online. It is not difficult to imagine why 
the first company might support a burdensome online-only approach. Moreover, this 
same hardware manufacturer sells business hardware and services to Internet- 
based companies and, potentially at least, would benefit from a law that would re- 
quire substantial technical investments by online companies. Lastly, the other major 
technology firm that supports online-only legislation actually manufactures com- 
puter components and makes only a tiny percentage of its sales to consumers, 
whether online or offline. It is difficult to believe this company knows much more 
about serving web-based customers than Amazon.com knows about semiconductor 
dumping practices. 

Relative Expediency of an Online-only Bill. Finally, it also has been said that “on- 
line” and “Internet” transactions are being singled out because it would be too dif- 
ficult to craft a law that protects the other 99% of consumer transactions. Although 
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it is hard to believe that expediency is the reason for the “online-only” focus, it is 
important to note that other bills have been (or soon will be) introduced in Congress 
that address both online and offline transactions. And, certainly this Committee has 
jurisdiction over all channels of commerce. Moreover, passing an online-only law at 
this point likely would delay passage of an offline bill for many years and, thus, ac- 
tually would hurt the chances of providing privacy protections for consumers offline. 
In any case, it certainly would not be 99 times more difficult to craft a law that 
protects 99 times as many consumer transactions. 

Conclusion. For all the foregoing reasons, we firmly believe that any privacy legis- 
lation that moves forward out of this Committee should apply to all consumer trans- 
actions, not merely the one percent conducted online. 

Key Positive Provisions in S. 2201 

Mr. Chairman, as noted earlier, we believe that there are at least two key provi- 
sions in S. 2201 that we could support. We appreciate the fact that you included 
these in your bill. They are the following: 

• Continuing Promise (Section 102(e)(1)(b)): This explicit confirmation that “the 
promise runs with the information” is good. Although we believe existing com- 
mon law and Section 5 of the FTC act already would prevent successor entities 
from treating information less restrictively than was promised at the time the 
information was collected, we appreciate and support the enactment of this 
clarifying language, particularly because it removes potential ambiguity in 
bankruptcy proceedings. 

• Preemption (Preamble Section 4): As noted above, this is a necessary and good 
provision to ensure equal consumer privacy protections nationwide and to allow 
nationwide entities to comply (it would be virtually impossible for a nationwide 
website to comply with conflicting rules from multiple jurisdictions). Even 
though state laws most likely would fail a constitutional challenge, the expense 
and uncertainty of litigation could be avoided with this sort of Congressionally 
adopted ceiling. Given the agreement on the need to preempt inconsistent state 
laws, we merely need to ensure that this language is adequately clear. (Review- 
ing courts look for clear congressional intent; ambiguous language favors non- 
preemption.) 

Specific Areas of Concern about S. 2201 

Mr. Chairman, we also have identified the following areas of serious concern in 
S. 2201. Amazon.com will focus its cooperative and constructive efforts on these 
issues, as well as on the online-offline parity point, in an effort to provide you and 
your Committee as much information as soon as possible. Our principal concerns are 
as follows: 

Private Rights of Action (Section 203): 

• As noted above, we fear giving overly aggressive litigants a new tool to extract 
rents from “good guy” companies with relatively deep pockets. It is clear from 
the FTC/PFF sweeps that the most popular and, thus, the most successful, 
websites already are providing outstanding privacy protections. Unfortunately, 
however, it will be these “good guys” that litigants attack, because these are the 
entities capable of paying big judgments. Indeed, under the current bill, it 
would be far more lucrative to bring a class action suit to catch a “good guy” 
on a technicality than catch a “bad guy” in an egregious act. 

• A company could be hit with a judgment of $5,000 per user per violation (with 
up to a $100,000 kicker for repeated violations) with a showing of but minimal 
actual harm and showing no malfeasance. Because class actions are not pre- 
cluded, there probably will be a class action alleged for every potential violation. 
And, if the alleged violation is a part of a company doing business, there will 
be gigantic cases. 

• Allowing such private rights of action will cause the “good guys” to make their 
privacy notices much more legalistic — and much less readable to consumers — 
just so that they would fare better in a lawsuit. Unreadably long privacy state- 
ments and fine-print legalese would become the norm. A regulatory body such 
as the Federal Trade Commission, on the other hand, could balance the com- 
peting interests of legal precision and simplicity. 

• In addition, the uniformity necessary to run nationwide websites would be de- 
stroyed by a host of litigants suing companies all across the country. A single 
authority, such as the FTC, could provide the nationwide approach that private 
litigation cannot. 

State Actions (Section 204): 
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• In a highly unusual, if not entirely unprecedented, grant of power, this section 
would allow state attorneys general to bring class actions on behalf of all their 
residents, unfairly exposing online entities to politically motivated lawsuits. 

Access and Deletion (Section 105): 

• Several of the terms in this section, such as “reasonable access,” “reasonable op- 
portunity,” and “suggest,” are ambiguously defined and it is unclear how the 
ambiguity will be resolved. Is this a matter for the Courts or perhaps a broad 
FTC rulemaking? 

• This section seems to require data deletion, which would dramatically hinder 
our efforts to limit fraud and thwart consumer identity theft. Indeed, this provi- 
sion likely would end up making consumer identity theft easier, by making 
criminal activity much harder to trace. Further, just imagine asking a bank, or 
credit card company, or brick and mortar store, to simply “forget” a transaction 
conducted with them last month, or last year! 

• Our information technology department tells us that the access/deletion require- 
ments would require extraordinary costly technical measures. They also fear 
that, even if it would be possible to meet these requirements, our security and 
anti-fraud measures would be compromised. 

• Finally, there are very narrow exceptions to law enforcement disclosure. One 
situation not addressed is where a website operator discovers fraud and wants 
federal help investigating it. Could we be liable if we report fraud to law en- 
forcement or to the victim of the fraud? And what if the victim files a civil suit? 
Does the fraudster really have a right to contest that motion? 

“Reasonable” Security (Section 106): 

• Companies have every possible motivation, including tort law, to maintain effec- 
tive security against hackers. There is no need for a new statute to require it. 

• After a security breach, it may very be difficult to argue that “reasonable” pre- 
cautions were taken. With little precedent for guidance, the fact of a breach 
would make any failed security precautions look unreasonable. In other words, 
without clarifying language, a security “reasonableness” standard likely would 
function as a strict liability standard. On the other hand, to the extent that se- 
curity practices of other entities become well known, it also would be a concern 
if “reasonable” were defined as “what everybody else is doing.” This interpreta- 
tion could make it risky for companies to take innovative approaches to secu- 
rity. 

• Any detailed, public investigation of whether a company took reasonable pre- 
cautions might reveal too much to hackers about what a company does and does 
not do. 

Information Collection (Section 101(a)): 

• Even if S. 2201 were not modified to apply to offline entities, this provision 
could unfairly be read to impose requirements on online entities’ use of offline 
information that is, and would remain, available to offline entities without re- 
striction. Online entities should face no more restrictions on offline information 
than do offline entities. 

Notice and Consent (Section 102): 

• “Clear and conspicuous,” “affirmative consent,” and “robust” all are ambiguous 
terms, despite the definitions offered in Section 401, particularly with regard to 
the various technical means for delivering this information. For example, robust 
notice on a web-enabled telephone — with a very small display — might be very 
different from robust notice on a wide-screen monitor. 

• We are concerned about the general prescriptions on “use” disclosures. How de- 
tailed must these disclosures be? If the requirement is for super-detailed speci- 
fications, then companies will have to anticipate too many small variations on 
the general theme of how information is used, instead of focusing on the most 
important general points. Importantly, if too much information is required, con- 
sumers will not be presented readable disclosures. Finally, as for “methods of 
using,” we are concerned that this might require the revelation of potentially 
sensitive technical information not relevant to consumers, but very relevant and 
useful to hackers. 

• For sensitive information, are “opt-in” (in the title) and “affirmative consent” (in 
the text) the same thing? There is considerable ambiguity in both of these 
terms. Would the “initial robust notice” requirement force website operators, 
every time they collect a little more PII, to go back and give robust notice? Yet 
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if the visitor just returns, and the operator doesn’t collect PII, then no robust 
notice is required. And, under the construct of this bill, every web page visit, 
which produces click-stream information, creates PII when it’s combined with 
a user’s identity. We fear that repetitive opt-out requirements would be burden- 
some and annoying to consumers. 

Definitions (Section 401): 

• This section, in addition to containing many ambiguities, incorrectly defines the 
term “cookie.” Further, the definition of “robust notice” is not clear. What is “ac- 
tual notice”? Is it subjective? Also, the definition itself contains a “use” (“to use 
or disclose that information for marketing or other purposes”). Does this mean 
you have to give Robust Notice, before the collection of PII, but Robust Notice 
is the same as actual notice that you intend to use for marketing or “other” pur- 
poses. Is a website’s link to a privacy notice “robust” in this way? And what 
about “robust notice” on a wireless or other small screen device such as the re- 
mote terminal on the kitchen wall or the automobile dashboard? 

We have identified these principal concerns with S. 2201, and plan to continue 
our analysis and dedicate our attention to providing the Committee information on 
each of these points. 

Conclusion 

In conclusion, Mr. Chairman, Amazon.com is pro-privacy in response to consumer 
demand and competition. We already provide our customers notice, choice (including 
opt-in choice where appropriate), access, and security. You have called for these 
same features in S. 2201 and, although we have many concerns with this bill, we 
appreciate that you recognize, as we do, the importance of consumer privacy. 

Our foremost concern with S. 2201 is that it would apply only to some companies 
and only to one percent of consumer retail transactions. For the many reasons ar- 
ticulated in this testimony, Amazon.com respectfully requests that any privacy legis- 
lation approved by this Committee apply to all consumer transactions, not merely 
those conducted online. 

In addition, Amazon.com has serious concerns with several specific provisions in 
the bill. Primary of these are the provisions for nearly unfettered class action litiga- 
tion; access/deletion obligations that would jeopardize our security and anti-fraud ef- 
forts; and technically infeasible security requirements. We look forward to working 
with you and your Committee to address all of these issues. 

Thank you again for inviting me to testify; I look forward to your questions. 

The Chairman. Thank you, sir. Mr. Dugan. 

STATEMENT OF JOHN C. DUGAN, PARTNER, 

COVINGTON & BURLING, ON BEHALF OF THE FINANCIAL 

SERVICES COORDINATING COUNCIL 

Mr. Dugan. Thank you, Mr. Chairman, Senator Hollings, Sen- 
ator McCain. I am testifying today on behalf of the Financial Serv- 
ices Coordinating Council, whose members include the American 
Bankers Association, the American Council of Life Insurers, the 
American Insurance Association, and the Securities Industry Asso- 
ciation. These organizations represent thousands of large and small 
banks, insurance companies, and securities firms that, taken to- 
gether, provide financial services to virtually every household in 
America. 

The FSCC is keenly aware of the need to maintain the privacy 
of personal information. With the enactment of the Gramm-Leach- 
Bliley Act in 1999, thousands of financial institutions across the 
country have expended enormous amounts of time, energy, and re- 
sources to provide financial institution customers with comprehen- 
sive privacy protections. 

These mandatory protections include notice of the institution’s 
information that must be clear, conspicuous, and provided annu- 
ally, opt-out choice regarding the institution’s sharing of informa- 
tion with nonaffiliated third parties, security in the form of manda- 
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tory policies, systems, and controls to ensure that personal infor- 
mation remains confidential, and enforcement of privacy protec- 
tions via the full panoply of enforcement powers of the agencies 
that already regulate financial institutions, the Federal bank regu- 
lators, the Securities and Exchange Commission, State insurance 
authorities, and the Federal Trade Commission. 

All of these mandatory privacy protections apply equally to finan- 
cial institution consumers in both the offline and online context. 
The proposed requirements of S. 2201 would apply to financial in- 
stitutions on top of this already extensive privacy regime. 

As a result, the FSCC strongly opposes S. 2201 for the following 
five reasons. 

First, as I said, financial institution are subject already to the 
comprehensive privacy regulation that Congress carefully debated 
and enacted just less than 3 years ago. It would be both unneces- 
sary and costly to subject them to the new and conflicting restric- 
tions included in S. 2201, which would translate into two types of 
notices to consumers, two types of consent provisions, redundant 
security requirements, and two distinct types of enforcement re- 
gimes. The FSCC believes that financial institutions should be sub- 
ject to a single privacy regime that applies equally in all contexts, 
as is the case now. 

Second, we believe the bill will thwart the development of e-com- 
merce by, for example, imposing dual and conflicting privacy stand- 
ards for companies that collect information both offline and online, 
as Senator McCain indicated before, often from the same customer. 
S. 2201 would severely impair a company’s ability to operate under 
this clicks and bricks business model. Such a company would be 
forced to maintain two separate information systems, an offline 
system subject to any applicable offline privacy regulations, and an 
online system subject to both those privacy requirements and the 
requirements contained in S. 2201. 

In many cases, as I said, the two systems would apply to per- 
sonal information collected from the same individual, and such a 
two-tiered system would be extremely costly and burdensome to 
manage, and it could cause some companies, especially smaller 
ones, to avoid online operations altogether. 

Third, S. 2201 would have a disproportionate impact on financial 
institutions, even though financial institutions are already subject 
to extensive privacy regulation. This is so because the bill regulates 
so-called sensitive information such as account balance and insur- 
ance policy information, much more stringently than nonsensitive 
information. Sensitive information is subject to the opt-in and class 
action enforcement, while nonsensitive information is subject only 
to the opt-out and no private right of action. 

For most types of businesses, the increased restrictions and sen- 
sitive information present relatively few additional problems, be- 
cause sensitive information does not constitute the core of their 
business. That is not the case with financial institutions. There, 
such information frequently is the business of banks, insurance 
companies, and securities firms. 

For example, an online clothing retailer might want to provide 
special discount coupons to its best customers, who might be those 
individuals who purchase more than a certain amount of clothing 
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each year. The retailer’s discount offer would be subject to the bill’s 
opt-out requirement, and a violation of the requirement would not 
be subject to a private right of action or class action enforcement. 

In contrast, a bank might want to give its biggest depositors a 
discount on unrelated financial services such as an insurance prod- 
uct, or a loan, or an insurance company might want to reward a 
large life insurance policyholder with a discount on his or her car 
insurance. In these cases, the discount offers would be subject to 
the bill’s opt-in requirement, and any related violations of the stat- 
ute would be subject to class action enforcement. 

Thus, financial institutions, which are subject to much more com- 
prehensive privacy regulation than other online businesses, are 
subject to the bill’s most onerous restrictions with respect to their 
core businesses, while less-regulated online providers are not. The 
FSCC believes this is unfair and unnecessary. 

Fourth, the FSCC believes that a number of the bill’s provisions 
are simply far too restrictive, including both the opt-in and the ac- 
cess provision. In addition, the bill includes far too few exceptions 
to both its opt-in and opt-out requirements to recognize legitimate 
business-sharing and use practices that are necessary for compa- 
nies to stay in business and provide customer service, such as shar- 
ing information with credit bureaus, securitizing mortgages, and a 
variety of other practices which I have included in more detail in 
my written statement. 

Moreover, the bill’s opt-in and opt-out apply to any unrelated use 
of information, which would act as a new and unprecedented bar- 
rier to businesses communicating and marketing products to their 
own consumers. We think this restriction is just too broad. 

Finally, as others have testified, the FSCC believes that the bill’s 
regulatory approach is unnecessary in view of the increasingly ef- 
fective self-regulatory efforts of the online industry, including 
through new technologies. 

For all of these reasons, the FSCC opposes S. 2201. I would be 
happy to answer any questions you may have. 

[The prepared statement of Mr. Dugan follows:] 

Prepared Statement of John C. Dugan, Partner, Covington & Burling, on 

BEHALF OF THE FINANCIAL SERVICES COORDINATING COUNCIL 

My name is John Dugan, and I am a partner with the law firm of Covington & 
Burling. I am testifying today on behalf of the Financial Services Coordinating 
Council (“FSCC”), whose members include the American Bankers Association, 
American Council of Life Insurers, American Insurance Association, and Securities 
Industry Association. These organizations represent thousands of large and small 
banks, insurance companies, and securities firms that, taken together, provide fi- 
nancial services to virtually every household in America. 

The FSCC appreciates the opportunity to testify before this Committee on S. 
2201, the Online Personal Privacy Act. We are keenly aware of the need to maintain 
the privacy of personal information. With the enactment of the Gramm-Leach-Bliley 
Act in 1999 (the “GLB Act”), thousands of financial institutions across the country 
have expended enormous amounts of time, energy, and resources to provide finan- 
cial institution customers with comprehensive privacy protections. Coupled with the 
protections mandated by the Fair Credit Reporting Act, these consumers now must 
be provided — 

• Notice of the institution’s practices regarding information collection, disclosure, 
and use, which must be clear, conspicuous, and updated each year; 

• Opt-Out Choice regarding the institution’s sharing of information with non- 
affiliated third parties, and in certain instances, with affiliates; 
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• Security in the form of mandatory policies, procedures, systems and controls to 
ensure that personal information remains confidential; and 

• Enforcement of privacy protections via the full panoply of enforcement powers 
of the agencies that regulate financial institutions, i.e., the federal bank regu- 
lators, the Securities and Exchange Commission, state insurance authorities, 
and the Federal Trade Commission. 

In addition to these protections, customers of financial institutions that handle 
personal health information receive the extensive privacy protections of federal and 
state medical privacy laws. All of these mandatory privacy protections apply equally 
to financial institution consumers in both the offline and online contexts. Taken to- 
gether, they form perhaps the most comprehensive set of mandatory privacy protec- 
tions in the country. The proposed requirements of S. 2201 would apply to financial 
institutions on top of this extensive privacy regime. 

The FSCC strongly opposes S. 2201 bill for the following reasons. First, financial 
institutions are subject already to the comprehensive privacy regulation described 
above, which Congress carefully debated and enacted less than three years ago; it 
would be both unnecessary and costly to subject them to the new and conflicting 
restrictions included in S. 2201. Second, the bill will thwart the development of e- 
commerce by, for example, imposing dual and conflicting privacy standards for com- 
panies that collect information both online and offline, often from the same cus- 
tomer. Third, parts of the bill apply much more restrictively to financial institu- 
tions, because of the nature of their business, than they do to other types of compa- 
nies — even though financial institutions are already subject to extensive privacy reg- 
ulation. Fourth, a number of the bill’s provisions are simply far too restrictive. Fi- 
nally, the FSCC believes that the bill’s heavy regulatory approach is unnecessary 
in view of the increasingly effective self-regulatory efforts of the online industry, in- 
cluding through new technologies. 

I. Financial Institutions and their Customers Don’t Need Yet Another Set 

of Privacy Rules 

S. 2201 seems to be aimed primarily at online businesses and advertisers that are 
not now subject to mandatory privacy regulation. But the bill sweeps in any busi- 
ness that deals with any consumer via the Internet, which means that privacy-regu- 
lated businesses like financial institutions are included as well. Because of the fi- 
nancial institution privacy protections described above, which are already in place 
and apply in the online context, the FSCC believes that the bill’s application to fi- 
nancial institutions is unnecessary. 

Just over two years ago, Congress carefully considered the costs and benefits of 
the privacy-related restrictions that ought to apply to financial institutions and 
their consumers, which resulted in Title V of the GLB Act. Financial regulators sub- 
sequently implemented detailed privacy regulations for the first time, and financial 
institutions have spent many millions of dollars to build systems to comply and pro- 
tect customer information. Financial institution customers now enjoy the benefit of 
those protections, which ought to be given a chance to work. 

Moreover, S. 2201 would subject financial institutions to a whole new layer of pri- 
vacy regulations that would apply at the same time as those imposed by the GLB 
Act and other financial privacy laws. That would mean two types of notices to cus- 
tomers, two types of consent provisions, redundant security requirements, and two 
distinct types of enforcement regimes. This is far too burdensome and costly. It 
could also confuse customers, which in turn would result in conflicting instructions 
by consumers to their financial institutions (e.g., opt-out in one context, opt-in in 
another). Financial institutions should be subject to a single privacy regime that ap- 
plies equally in all contexts. 

II. S. 2201 Will Thwart the Development of Electronic Commerce 

The Internet is bringing enormous social and economic benefits to its users and 
to nations around the world. It is empowering individuals to seek, receive, and 
share information and ideas. It is changing how we educate, shop, spend our time, 
and transact business. And, perhaps most importantly, it is equalizing access to in- 
formation, giving everyone with a computer and an Internet connection an oppor- 
tunity both to acquire and use information more effectively. 

Throughout its short history, the Internet has been a virtually regulation-free en- 
vironment. In the United States, regulations affecting the privacy of information on- 
line have been limited to only those necessary to protect our most vulnerable online 
population — children. Because of this philosophy of regulatory restraint, electronic 
commerce has thrived. According to a recent U.S. Department of Commerce survey, 
more than half of Americans are using the Internet and among these Internet users, 
39 percent of them are making online purchases. 
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While the European Union has adopted comprehensive privacy regulations, the 
United States has avoided such an approach. On numerous occasions, government 
officials have appropriately voiced concern over problems inherent with applying old 
legislative paradigms to the constantly changing Internet. These concerns appro- 
priately recognize (1) that market-driven solutions to online problems provide the 
most effective means to ensure the continued growth of the Internet, and (2) that 
any governmental regulation should target discrete concerns and be carefully tai- 
lored to reach no broader than necessary in order to solve the problem at hand. The 
Children’s Online Privacy Protection Act (“COPPA”) and the Electronic Signatures 
in Globalization Act (“ESIGN”) reflect this balanced approach. Both laws are nar- 
rowly tailored to target specific online concerns and provide a workable legal frame- 
work within which these concerns can be resolved. 

S. 2201 is a marked departure from this philosophy of restraint and targeted gov- 
ernmental action. The bill treats information collected online differently than infor- 
mation collected by other means and thereby subjects the vast majority of U.S. com- 
panies to two substantially different privacy regimes in the offline and online envi- 
ronments. In practice, this approach will retard the use of online channels, or, at 
the very least, require a company to adhere to the bill’s substantive requirements 
with respect to all of its information collection activities. 

Today, companies like financial institutions frequently operate according to a 
“clicks and bricks” business model under which customer relationships begin offline 
and migrate online. Specifically, a company collects personal information about a 
consumer offline when it begins a relationship with a consumer and then again on- 
line when the consumer, on his own or through the prompting of the company, uses 
the company’s services over the Internet. In many cases, the information collected 
online is exactly the same as that collected offline (i.e., name, address, account num- 
ber), but in other cases the information may be different. As a result, it is fairly 
typical that a company has one database that includes both personal information 
initially collected non-electronically (and subsequently entered into a computer) and 
similar or different information collected over the Internet. 

S. 2201 would severely impair a company’s ability to operate under this “clicks 
and bricks” business model. Such a company would be forced to maintain two sepa- 
rate information systems — an offline system subject to any applicable offline privacy 
regulations (such as the GLB Act or healthcare privacy rules) and an online system 
subject to both those privacy requirements and the requirements contained in S. 
2201. In many cases the two systems would apply to personal information collected 
from the same individual. Such a two-tiered system would be extremely costly and 
burdensome to manage. And it could cause some companies, especially smaller ones, 
to avoid online operations altogether. 

III. S. 2201 Will Have a Disproportionate Impact on Financial Institutions 

S. 2201 creates two categories of personally identifiable information — “sensitive” 
and “non-sensitive” — and regulates sensitive information much more stringently 
than non-sensitive information. The bill requires online operators to obtain opt-in 
consent before they collect, disclose, or otherwise use sensitive information, and 
would use a private right of action and class actions to address violations of such 
requirements. In contrast, with respect to non-sensitive information, the bill requires 
only opt-out consent and establishes no express private right of action for individ- 
uals. 

For most types of businesses, the increased restrictions on “sensitive” information 
present relatively few additional problems, because “sensitive information” does not 
constitute the core of their business. That is not the case with financial institutions. 
S. 2201 defines “sensitive personally identifiable information” to include “sensitive 
financial information,” and that term includes the amount of income earned or 
losses suffered by an individual; balance “information” regarding any financial serv- 
ices account; any insurance policy information; and outstanding credit card, debt, or 
loan obligations. Although such information may be incidental to the operations of 
many online companies, it frequently is the business of banks, insurance companies, 
and securities firms. 

For example, an online clothing retailer might want to provide special discount 
coupons to its best customers, who might be those individuals who purchased more 
than a certain amount of clothing each year. The retailer’s discount offer would be 
subject to the bill’s opt-out requirement, and a violation of the requirement would 
not be subject to a private right of action or class action enforcement. In contrast, 
a bank might want to give its biggest depositors a discount on unrelated financial 
services such as an insurance product or a loan. Or an insurance company might 
want to reward a large term-life insurance policyholder with a discount on his or 
her car insurance. In these cases, the discount offers would be subject to the bill’s 
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opt-in requirement, and any related violations of the statute would be subject to 
(and a target for) class action enforcement. 

Thus, financial institutions, which are subject to much more comprehensive pri- 
vacy regulation than other online businesses, are perversely subject to the bill’s 
most onerous restrictions with respect to their core businesses, while less regulated 
online providers are not. As discussed below, it would be extremely costly and unfair 
to target financial institutions with some of the bill’s most restrictive provisions, i.e., 
the opt-in and private right of action, which also have particularly negative effects 
on financial institutions that handle health information. 

A. S. 2201’s “opt-in” requirement will effectively prohibit core financial institution 

practices that benefit consumers. 

Financial institutions are well aware of the unique position of responsibility they 
have regarding an individual’s personal information, including health information. 
The member companies of the trade groups belonging to the FSCC are strongly com- 
mitted to the principle that individuals have a legitimate interest in the proper col- 
lection and handling of their personal information and that these companies have 
an obligation to assure individuals of the confidentiality of that information. 

However, the FSCC strongly opposes S. 220 l’s opt-in requirement, especially 
when it is coupled with the bill’s unrelated use requirement. That is, unlike the 
GLB Act, which applies only to disclosures of personal information by a financial 
institution to third parties, S. 2201 also restricts virtually any use of personal infor- 
mation by the institution itself, even if the information were not disclosed to others 
and were used to benefit the customer. This would constitute a new and unneces- 
sary roadblock between all companies and their customers. 

The combination of the opt-in and unrelated use restrictions would require finan- 
cial institutions to contact customers and obtain their prior permission to engage 
in core business activities involving personal information — which in practice would 
constitute a de facto prohibition on responsible information sharing that benefits 
consumers. Not even Europe’s Privacy Directive, which on paper is one the most 
stringent privacy regimes, goes this far. Instead, the EU Directive permits entities 
to follow an opt-out approach with respect to the use and disclosure of financial in- 
formation. 

The FSCC believes that there is a fundamental flaw with the way opt-in require- 
ments work. Such provisions deprive consumers of benefits from information shar- 
ing, such as discounts on other types of financial products. In essence, an opt-in cre- 
ates a “default rule” that stops the free flow of information (which is especially crit- 
ical to Internet transactions). This in turn makes the provision of financial services 
more expensive and reduces the products and services that can be offered. Further, 
consumers rarely exercise opt-in consent of any kind — even those consumers who 
would want to receive the benefits of information sharing if they knew about them. 
In contrast, a meaningful opt-out gives privacy-sensitive consumers as much choice 
as an opt-in, but without setting the default rule to deny benefits to consumers who 
are less privacysensitive. 

B. S. 220 l’s narrow exceptions to the bill’s opt-in (and opt-out) will prevent critical 

information sharing by financial institutions. 

Privacy regimes that impose customer consent restrictions on financial institu- 
tions nearly always include a range of specific exceptions. These exceptions cover 
circumstances in which consent is either implied, unnecessary, or would impede a 
legitimate public policy goal. For example, the Gramm-Leach-Bliley Act and its im- 
plementing regulations at both the federal and state level recognize well over 30 
such exceptions, which are critically important to financial institutions doing busi- 
ness with their customers. Such “doing business” exceptions, which have never been 
controversial, permit disclosures that are necessary, for example, to prevent fraud, 
create credit histories, underwrite insurance, engage in risk management practices, 
securitize loans, outsource functions to agents, obtain legal advice, etc. 

In contrast, S. 2201 includes only four exceptions to the bill’s opt-in and opt-out 
requirements. Section 104’s exceptions apply to certain information collection, use, 
and disclosure practices that are necessary to (1) protect the security or integrity 
of the website; (2) conduct a transaction, deliver a product, or complete an arrange- 
ment for which personal information has been provided; (3) provide other products 
or services that are “integrally related” to the transaction, service, product, or ar- 
rangement for which the consumer provided the information; and (4) to comply with 
law enforcement or a judicial process. 

These provisions, although vague, were clearly crafted to reach services provided 
in the context of completing online retail sales. Yet financial institutions necessarily 
do much more with online information than engage in marketing or the other ex- 
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tremely narrow range of activities covered by the bill’s exceptions. The combination 
of the opt-in and unrelated use provisions could potentially shut down core business 
use and sharing practices, including sharing information with credit bureaus, 
securitizing mortgages, running normal credit card operations, and engaging in a 
range of activities related to insurance underwriting. It is unlikely that these activi- 
ties would qualify as “necessary to conduct” or “integrally related” to the trans- 
action, service, or product obtained by the consumer. This would have the unin- 
tended, negative consequence of disadvantaging, rather than helping, consumers. 

C. The private-right-of-action provision will invite abusive class action litigation 

against financial institutions. 

Under the bill’s private right of action, any showing of actual harm involving sen- 
sitive information, however small, will provide a plaintiff with a guaranteed recov- 
ery of at least $5,000 per violation. Such a provision is clearly intended to attract 
class action litigation as an enforcement mechanism. Because financial institutions’ 
core business involves information that the bill deems “sensitive,” the bill would 
make them the new target of choice for the plaintiffs’ bar. 

This is both unfair and unnecessary. Unlike most online businesses, financial in- 
stitutions are already heavily regulated, and their regulators have broad powers to 
punish violations of law — which they do not hesitate to exercise. That is why, in the 
privacy context, Congress chose not to authorize a private right of action or class 
actions as a means to enforce the GLB Act’s privacy provisions. Instead, enforce- 
ment is accomplished through the full panoply of enforcement powers of the relevant 
financial regulator, e.g., federal banking agencies for banks; the SEC for securities 
firms; state insurance authorities for insurance companies; and the FTC for non-tra- 
ditional “financial institutions.” This enforcement regime works. The FSCC there- 
fore strongly opposes the creation of a new class action mechanism that, while hav- 
ing little impact on most online businesses, would create a huge and unnecessary 
new source of litigation cost for financial institutions. 

D. The bill will have a disproportionate impact on financial institutions that handle 

health information. 

S. 2201 includes individually identifiable health information within the definition 
of sensitive information that is subject to the bill’s stricter opt-in requirements. This 
ignores the complex and detailed issues surrounding the protection of health infor- 
mation. Financial institutions, particularly insurance companies, must be able to 
disclose or otherwise use personally identifiable health information to perform es- 
sential, legitimate insurance business functions, such as underwriting and claims 
evaluations. In addition, insurers must be able to disclose and use personally identi- 
fiable health information to perform important business functions that are not nec- 
essarily directly related to a particular insurance contract but that are essential to 
the administration or servicing of insurance policies generally, such as, for example, 
developing and maintaining of computer systems. An opt-in that would jeopardize 
these uses and disclosures of personally identifiable health information would also 
jeopardize insurers’ ability to serve and fulfill their contractual obligations to exist- 
ing and prospective customers. 

Insurers also must regularly disclose personal health and financial information to: 
(1) state insurance departments as a result of their general regulatory oversight of 
insurers, which includes regular market conduct and financial examinations of in- 
surers; (2) self-regulatory organizations, such as the Insurance Marketplace Stand- 
ards Association (IMSA), which imposes and monitors adherence to requirements 
with respect to member insurers’ conduct in the marketplace; and (3) state insur- 
ance guaranty funds, which seek to satisfy policyholder claims in the event of im- 
pairment or insolvency of an insurer or to facilitate rehabilitations or liquidations 
that typically require broad access to policyholder information. In addition, insurers 
need to (and, in fact, in some states are required to) disclose personal information 
in order to protect against or to prevent actual or potential fraud. Such disclosures 
are made not only to law enforcement agencies, but also to state insurance depart- 
ments, the Medical Information Bureau (MIB), or outside attorneys or investigators, 
who work for the insurer. To the extent that S. 2201’s opt-in would limit these dis- 
closures, it would undermine the public policy reason for making them — to protect 
consumers. 

Existing federal and state privacy regimes, including the final Standards for Pri- 
vacy of Individually Identifiable Health Information (Privacy Rule) promulgated by 
the Department of Health and Human Services as required by the Health Insurance 
Portability and Accountability Act (HIPAA) (P.L. 104-191), provide fundamental 
protections to the privacy of health information. Unlike S. 2201, the HIPAA Privacy 
Rule includes a variety of carefully considered exceptions to its authorization re- 
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quirement in order to strike a proper balance between the legitimate expectations 
of consumers concerning the treatment of their information and the ability of insur- 
ers and others to use personal health information responsibly. Also, many state laws 
and regulations, particularly those adopted recently to implement the privacy re- 
quirements of the GLB Act, contain sections specifically addressing the confiden- 
tiality of health information and specifically providing exceptions to their opt-in re- 
quirements applicable to disclosures of health information. 

In short, the issue of health information privacy is difficult and complex. It is, at 
best, unclear how the health provisions of S. 2201 compare and/or integrate with 
existing laws and what impact this legislation will have on financial institutions. 
At worst, the combination of the opt-in and class action enforcement could have ex- 
tremely negative consequences. 

IV. Other Concerns with S. 2201 

There are a number of other fundamental problems with the provisions of S. 2201 
that are not unique to financial institutions. 

“Use” Restrictions. The problem with the bill’s blanket restriction on unrelated 
“uses” of information is not limited to sensitive information covered by the opt-in. 
It also applies to nonsensitive information covered by the opt-out. (A business may 
not disclose or “otherwise use” information collected online without notice and opt- 
out.) Among other things, this will impair a business from engaging in generally ac- 
cepted marketing activities with its own customers, and a charity from soliciting 
contributors for additional contributions. Thus, the FSCC believes the use restric- 
tion is both unnecessary and overly broad. 

Access. S. 2201 will impose access requirements that will be extremely costly and 
that will reduce security on the Internet. S. 2201 subjects access requests to a vague 
reasonableness test and fails to exclude information, such as trade secrets or inter- 
nal operating procedures, to which consumers should never have access. In addition, 
S. 2201 fails to recognize that information may not be maintained in centralized 
databases searchable by customer name. (And privacy advocates have long advo- 
cated that businesses should not be encouraged to establish such centralized data- 
bases because of increased possibilities for obtaining and using too much informa- 
tion about an individual too easily.) Even where databases are highly centralized, 
the costs of complying with this requirement will far exceed the nominal charges 
permitted under the bill. S. 2201 also fails to define what it means to “delete” a 
record in an electronic environment. For example, must all back-up tapes be re- 
trieved from storage and searched for relevant records when a “delete” request is 
received? What about requests to delete personal information when there is a legal 
obligation or important business reason to retain such information? The bill does 
not provide guidance on these important questions. 

Financial institutions already provide their customers — often in real time — with 
access to the personal information of greatest concern to them, i.e., their account 
balances and transaction statements. In addition, the Fair Credit Reporting Act pro- 
vides consumers with extensive access and correction rights regarding financial in- 
stitution information that is used to make very significant decisions about them, i.e., 
to grant or deny credit or insurance. For these reasons, there is no need to impose 
an additional and vague access requirement that can be used for “fishing expedi- 
tions” to search for violations of the Act — especially when violations can be easily 
translated into class action litigation. 

Security. S. 2201 contains security requirements that duplicate those already es- 
tablished for financial institutions in the GLB Act. Specifically, the GLB Act and 
its implementing regulations require that each financial institution protect the secu- 
rity and confidentiality of customers’ nonpublic personal information and implement 
a comprehensive security program. The differences between the security provisions 
of S. 2201 and the GLB Act will lead to unnecessary increased costs to ensure that 
security procedures meet multiple sets of requirements. 

V. S. 2201 Is Unnecessary Because Private Sector Efforts Are Working 

Finally, apart from the fact that financial institutions are already subject to com- 
prehensive privacy regulation, the FSCC believes that the private sector has taken 
and continues to take significant steps to address online privacy concerns. These ef- 
forts are particularly well suited for solving privacy-related problems on the Inter- 
net. This is so because private sector initiatives generally can respond more quickly 
than legislative solutions to changing technologies and evolving online business and 
social practices. In addition, private-sector mechanisms, because they are consumer 
driven by nature, are more likely to permit users to choose among various solutions 
based on their individual privacy preferences and thereby avoid the problem of over- 
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and under-breadth that is unavoidable in government regulation, which typically 
must be one dimensional in nature. 

Recent surveys indicate that the private sector’s efforts at self-regulation are 
working. For example, the Privacy Online report released earlier this year by the 
Progress and Freedom Foundation shows that nearly all of the most popular 
websites (99%) and the vast majority of randomly sampled websites (80%, up from 
64% in 2000) post some form of privacy notice if they collect personally identifiable 
information. Of those websites collecting personally identifiable information, 71% of 
randomly sampled sites and 89% of the most popular sites offer consumers some 
form of choice with respect to disclosing that information internally, and almost all 
(93% up from 77% last year) of the most popular sites and the majority of randomly 
sampled sites (65%) offer consumers choice over disclosures to third parties. Finally, 
the survey showed that websites are increasingly likely to tell consumers that they 
are taking adequate security measures to protect collected information. 

In addition, website operators continue to seek certification under seal programs 
such as TRUSTe and BBBOnLine. By the end of 2001, TRUSTe had certified more 
than 2000 websites in a variety of industries (up from roughly 500 websites in 1999) 
and BBBOnLine has certified more than 760 sites, up from 450 two years ago. The 
FTC has recognized that such seal programs are an effective method for delivering 
privacy protections to consumers. In particular, the FTC has endorsed seal pro- 
grams as a means of complying with the provisions of COPPA — the FTC has created 
a safe harbor so that websites that comply with, for example, TRUSTe’s children’s 
privacy seal, will be deemed to be in compliance with COPPA as well. 

In addition to these efforts, technology provides compelling solutions to many on- 
line privacy concerns. For example, P3P, a privacy-enhancing technology that en- 
ables users to specify a level of privacy protection based on a website’s practices for 
tracking data, is continuing to gain acceptance and prominence as an effective meth- 
od of protecting consumers’ online privacy. Among the most popular websites, 23% 
have implemented P3P, and Internet Explorer 6 includes the P3P function. 

In sum, like the Federal Trade Commission, the FSCC believes that the signifi- 
cant and evolving steps taken by the private sector to address online privacy con- 
cerns makes additional governmental regulation unnecessary at this time, including 
S. 2201. 

The Chairman. Very good. Mr. Dugan, we appreciate the posi- 
tion of the bankers and the insurance industry and the securities 
group, but all you have to do is go get a loan from the bank and 
you will see how many requirements that are required, and all the 
information that is necessary to get that loan. 

There is no question — getting right to the point, the Federal 
Trade Commission for 5 years did as we in this Committee asked. 
We asked them to bring the industry in, correlate it, have hearings, 
they had numerous hearings time and again, and I mention this 
because one of the witnesses would quote just part of what Mr. 
Pitofsky found, that the Federal Trade Commission after 5 years, 
2 years ago — so that means we have been on it sevem years — they 
recommended congressional action to protect the consumer privacy 
online. 

Otherwise, all the fear and bother about the online-offline com- 
parisons, witness after witness has pointed out the differences. It 
culminated into the Children’s Online Privacy Protection under 
Senator Bryan some 4 years ago, and it has worked wonderfully 
well. We have not had all of the Chicken Little, the sky is going 
to fall if you do not regulate the offline with the online. 

Otherwise, with respect to the right of action, I will have to agree 
with Mr. Rotenberg that there is a virus in this Congress, because 
we are all opposed to politicians and we do not like lawyers, and 
anything that refers to our right of action, you would think that we 
had never had any enforcement, and of course when we refer to the 
different — like the National Highway Transportation Safety Board, 
we got into Firestone case, and we found out that in a 5-year pe- 
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riod 99 million recalls, they were all voluntary on account of the 
private right of action. Not a one in 5 years of the 99 million did 
the particular governmental Federal commission direct that there 
be a recall, so we have had hard experience at this Committee level 
with respect to it. 

And the diversity, Ms. Lawler, that you find that might cause 
trouble of one jury finding one finding and a different jury in a dif- 
ferent section of the country finding differently would be sort of 
confusing. It was not until the forefathers, they put that in in the 
Seventh Amendment, the Bill of Rights, the trial by jury, for the 
very reason that we wanted to respect that diversity. 

Senator McCain. 

Senator McCain. Thank you, Mr. Chairman. I would like to ask 
first of all, from all the members of the panel, two questions. How 
should we treat information collected online and offline that is 
merged together into one consumer data file, and should all iden- 
tical types of information, whether collected online or offline, be 
subject to the same privacy restrictions? We will begin with you, 
Mr. Torres. 

Mr. Torres. Senator, we would love to see a comprehensive pri- 
vacy bill passed by this Congress and signed by the President into 
law. Unfortunately, the way that privacy has been treated in this 
country has been sector by sector. We have looked at video records, 
we have looked at cable television viewing habits, we have the 
FCRA, which protects some of the financial information. Telephone 
records are also covered. 

Gramm-Leach-Bliley, while we do not necessarily agree with the 
position taken by the industry council about the effectiveness of the 
law, nonetheless that is the law on the books, so the way we have 
done information in the past, it has been sector by sector, so it is 
not surprising that we should treat, or that the concept is out there 
in this bill that we should treat the online sector as kind of — that 
we should not treat it at all, because we are concerned about impli- 
cations in the offline world, and I have got three responses to that, 
really. 

We should treat it differently. It is different. It is a different me- 
dium. The way they collect information is different. 

Senator McCain. My question is, if it is merged together into one 
consumer data file. 

Mr. Torres. If it is merged together in one consumer data file, 
it should go to the stronger protections, perhaps, because it is the 
companies that choose the way they collect their information in ei- 
ther the online or the offline setting. It is the companies that 
choose to merge that data together. We should not fault the con- 
sumer for what the company does and say we cannot control this 
company because they choose to make this complicated. I do not 
have a choice, if I think the IRS laws are too complicated, because 
I have got a lot of complex financial transactions, to say, whoa, this 
is too complicated, I should not have to comply with this. It is, I 
choose to merge this information together. 

I have got full faith and confidence in this industry, that can find 
zillions of ways to slice and dice this information, to use it without 
telling the consumers what they are doing with it, to try to sell con- 
sumers junk products, based upon the information they collect from 
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consumers, and now they cannot figure out how to provide the con- 
sumers notice and opt-out, and I mean, the companies are not pro- 
hibited from using this information to serve the client, for what the 
customer gave them the information to do. 

What they are not allowed to do without giving the consumer 
some level of control is to go out and sell this information. 

Senator McCain. Mr. Torres, my time is limited, and we have 
four other respondents. As much as I appreciate your knowledge 
and your passion, I thank you. 

Ms. Lawler. Let me comment about merging online and offline 
data sources by way of HP’s actual practices, which are that that 
is the fact today for us, and particularly when we look at the dif- 
ferent types of sources, Mr. Misener from Amazon.com mentioned 
a few. One he did not mention that is actually the single largest 
source of our customer data is our call center business, and that 
would be support call centers, or pre-sales call centers, where 
someone calls because they have a problem they need fixed or help 
with, with regard to one of their HP products. 

So when we talk about merging data into a single data base, I 
would actually qualify that and say, with many large, global com- 
panies like HP, we are not talking about merged data in a data 
base. We are talking about several, and our efforts have actually 
focused on reducing the hundreds into the several into the few. It 
will be never less than a few, given the vast and broad nature of 
our customers. 

Our perspective is, we treat them the same, when you look at the 
statements made by the FTC last fall, that the presumption is that 
the offline policies and practices are the same as those stated in 
our online privacy statement. 

Senator McCain. So then they should be subject to the same pri- 
vacy restrictions, in your view? 

Ms. Lawler. We would be comfortable with that. 

Senator McCain. Mr. Rotenberg. 

Mr. Rotenberg. Senator, I think the obligations for companies 
operating on the Internet should apply when they marry that data 
with the offline data that is in their possession on the same cus- 
tomers. I think it is very important — you know, if we learned noth- 
ing else from the last 5 years, it is clear that the privacy risks asso- 
ciated with the online world are different from those in the phys- 
ical world. 

Senator McCain. Would you agree also, with the changing tech- 
nology, that the challenges change as well? 

Mr. Rotenberg. Certainly, Senator, I agree the technology will 
evolve and the law will evolve. The good thing about this bill is 
that it follows the general principles that have been used in the 
past to protect privacy and fair information practices, and those 
principles which really relate to the collection and use of customer 
information stay pretty much the same even as the technology 
changes. 

But if I may, sir, make one other point, companies operating on 
the Internet have the benefit of an enormous opportunity that 
those in the physical world do not. They can track their customers 
moving from one web page to another. They can plant cookies. 
They can use e-mails. Some of this is very effective, and some of 
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it has helped build companies like Amazon that today has 35 mil- 
lion customers, but I certainly think that privacy obligations carry 
along with those new, innovative business practices. 

Senator McCain. Thank you. Mr. Misener, you do not need me 
to repeat the question, do you? 

Mr. Misener. No, I do not, thank you, sir. 

Senator McCain, the same information ought to be treated the 
same. The consumer’s perspective on this is fairly obvious. Why 
should they care if their privacy is violated through one medium 
as opposed to another? It ought to be treated equally. It seems to 
me there is no reason, no principled reason to treat them any dif- 
ferently, or to treat the information any differently. 

We have heard from a couple of the other witnesses that there 
are true differences between the online Internet medium and other 
channels of commerce. I would submit to you that there are, and 
if there are differences that warrant legislation specified or specifi- 
cally tailored to those differences, that is something we ought to 
talk about. Unfortunately, the way these bills have gone, including 
S. 2201, is that they treat the same kind of practices differently. 
They do not hone in on the differences. 

I would submit to you, Senator McCain, that in the offline world 
retailers know the race and the sex and the personal appearances 
of their customers. We do not. In the offline world, retailers know 
where the customers are. They can track them around the country. 
We cannot. We have no idea where they are physically. Those are 
two very serious privacy differences that actually favor the online 
world. 

If we want to talk about differences, we ought to legislate 
about 

Senator McCain. Favor the offline world? 

Mr. Misener. Well, that privacy is better in the online world, 
and so if there are true differences here, let us talk about the dif- 
ferences and hone in on those, but where the collection methods 
and the use and the treatment of the information and the informa- 
tion itself are identical, they ought to be treated identically under 
the law. 

Senator McCain. Mr. Dugan. 

Mr. Dugan. Senator, I agree, we cannot see how you can treat 
the information differently. If you operate in two channels at once 
for the same customer you could not have two separate checking 
accounts for one person, for example. We think they should be 
treated the same. They are treated the same under the Gramm- 
Leach-Bliley privacy scheme that applies to financial institutions in 
both the offline and the online context, and we think that is appro- 
priate. 

Senator McCain. But they are not under this legislation? 

Mr. Dugan. That is correct. 

Senator McCain. Thank you very much, Mr. Chairman. 

The Chairman. Thank you. Senator Burns. 

Senator Burns. I would like to ask the panel one question along 
the same lines as Senator McCain asked. Why is it we hear the 
clamor for privacy online when much or more is collected offline? 

Mr. Rotenberg. Senator, if I could try to answer this, I think 
it really is because the data collection practices are different. If you 
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go into a store — you know, it is interesting, you go into a store and 
you purchase a product, you can pay by cash, and pay by credit 
card. There is a very good chance the store has no idea who you 
are unless you choose to sign up for a catalogue or have something 
shipped to your home, and the thought that walking down an aisle, 
or picking up a book, or looking at a product that you might be in- 
terested in could somehow be recorded is really the exception rath- 
er than the rule. 

The online world is very different. We know this. I mean, we 
know this because of the way the cookies operate, because of the 
http protocols. It is just much easier to follow people online, so 
when the list of Prozac people is published, that is the kind of prob- 
lem that could only happen on the Internet. 

Ms. Lawler. Senator Burns, what I would like to add to that, 
I think it gets down to the fundamental trust relationship that con- 
sumers have with the organizations they do business with, and 
when you have that personal interaction, or you can choose that 
personal interaction when you walk into a store, or walk onto the 
concrete in an auto dealer, that is very different than when you 
cannot see with whom you are dealing. It is a nameless, faceless 
entity, so I think the perceived and real standards become higher 
in individuals’ minds when they are dealing with a company that 
may or may not have a brick-and-mortar presence as well. 

Mr. Misener. If you do not mind, Senator, I would just like to 
add to that that I think part of it — and you have asked why is 
there more attention being paid to it. I think part of it is frankly 
just a carryover from what the novelty of the Internet is that really 
began five, six, 7 years ago, when people were sitting before a com- 
puter and it is a mysterious thing. It is a computer, as opposed to 
the friendly store, or the friendly cards they fill out, the subscrip- 
tions I get. 

My wife and I just bought a washer and dryer, and the warranty 
registration card has labeling all over it saying, for your safety, fill 
out this and return this for your safety, and these are dangerous 
devices, and so they want to know for my safety what my house- 
hold income is and whether or not we read the Bible. It is not scary 
when you fill out the little card in pencil and mail it in, right? 

But the reality is, when that card gets filled out and sent in, it 
gets entered into a huge computer data base which is shared, and 
the information is sold wherever, and in this instance it is far more 
safe to share your information with Amazon.com. 

Mr. Dugan. Senator, my only comment is, from a financial insti- 
tution’s perspective, they do not see much difference. Customers 
are obviously concerned about privacy, but they see it the same 
way whether it is online or offline. 

Senator Burns. I would imagine — yes, sir, Mr. Torres. 

Mr. Torres. I was just going to say, I think consumers, when 
they go online, may venture into different areas that they would 
not necessarily go to in the offline world. I mean, I have looked up 
an awful lot of, because of a family situation an awful lot of med- 
ical information online. The thought that that is being tracked is 
rather frightening, whereas I might not necessarily go to a book- 
store or to the library and look that up, but it is available to me, 
and so just where you can go online is quite different. 
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Senator Burns. As for the second area of concern, in a meeting 
with various interest parties around about the bill the Committee 
is concerned with today, I heard a lot of alarm about the private 
right of action language. Could you comment on the private right 
of action section contained in S. 2201? Is it overly broad in scope, 
or is it too limited? Does anybody want to take a shot at that? 

Mr. Dugan. Sure, I will take a shot. We believe it is far too 
broad, and because financial institutions deal in sensitive informa- 
tion, it is really aimed at financial institutions, even though we al- 
ready are subject to privacy protections and enforcement. 

Our regulators, for example, bank regulators can impose pen- 
alties of $1 million a day for violations of privacy violations of the 
Gramm-Leach-Bliley Act. We think that is sufficient. It is a system 
that works. There is no reason to apply a private right of action 
in that circumstance, and the provision in this bill does, as I think 
someone was saying before, you have to show some actual harm, 
it is true, but if you show any bit of actual harm, then it is a min- 
imum $5,000 per customer per violation, and if you have millions 
of customers, as many companies do, that is an invitation to class 
action litigation. 

Senator Burns. Let me put a footnote on this, and whether it is 
too broad or too narrow. Give me your idea on safe harbor. 

Mr. Rotenberg. Mr. Chairman, first of all — I am sorry, Senator 
Burns, as the Chairman explained, you need some kind of private 
right of action because otherwise all your chips basically sit on the 
FTC. I mean, that is the way the bill is structured, and if the FTC 
does not choose to take action, people who may have been actually 
aggrieved will have no place to turn, and so that is where this pro- 
vision comes from. 

As I explained in my opening statement, I think it is too narrow. 
I think it places all the burdens of litigation without any of the 
benefits, and I cannot imagine any lawyer, unless kind of a big- 
hearted person wants to do it on a pro bono basis, litigating on the 
basis of this provision, and so I gave two suggestions. 

One is to treat it as other privacy statutes do, which is to give 
people the opportunity to recover for cause. You can even cap, by 
the way — I mean, I understand the industry concern. You do not 
need to have sort of big, open-ended damages. You could have a cap 
on damages, or go into small claims court. 

On safe harbor, I think it can be made to work, but enforcement 
is key, because you have to understand that is another hurdle, an- 
other sort of black hole where, you know, we can lose track of what 
is actually happening and whether there is enforcement of the good 
provisions in the bill. 

Mr. Torres. Senator, we would be very skeptical of a safe harbor 
unless it was properly structured in such a way that it was not 
such a harsh hurdle to overcome, and also have some kind of teeth 
to it so that the standards were at least equivalent. 

And to the private right of action, it is just — I mean, the thought 
that — we cannot even get — let me put it this way . I work on a lot 
of different financial and banking issues. We cannot get the bank 
regulators to go after predatory lenders. The thought that they 
would go after a bank to seek a $1 million penalty for a privacy 
violation, I just do not see that happening. 
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I mean, we talk a lot about accountability and responsibility. You 
know, we are about to pass a bankruptcy bill that is going to sock 
it to consumers, and hold them accountable and responsible. Why 
can’t we ask for that same type of standard of industry? If they are 
so concerned about privacy, they are so concerned about doing the 
right thing, and they say that they are, why don’t they stand up 
and say, OK, and the private right of action here, the hurdles are 
high. If anything, it is narrow, but perhaps it does strike the right 
balance, because to use it, it has got to be a real bad thing for a 
consumer to use it, so in a way it is self-limiting, and may be the 
right approach. 

Mr. Misener. Just very quickly, Senator, there are two com- 
peting consumer interests here. Consumer interest one is enforce- 
ment. They want to ensure that if there is a law on the books that 
it is enforceable. If it has no teeth, then it is not useful. 

On the other hand, consumers also want clear, readable notice 
given to them. We have these two competing things. One is, compa- 
nies will try to protect themselves against lawsuits by making the 
privacy policy extraordinarily long, detailed, legalistic, unreadable. 
On the other hand, they want to provide their consumers and their 
customers something that is useful to them, something that actu- 
ally they will read and understand. These kinds of things are com- 
peting interests that an agency like the FTC could take into ac- 
count. 

Yes, it may not have been entirely, precisely, legally correct, but 
it was trying to communicate to consumers what they were really 
doing. A class action attorney will have no such balancing desire. 
He will focus in on the legal precision only, and not care whether 
or not it was readable. 

Senator Burns. Ms. Lawler. 

Ms. Lawler. Thank you. With regard to the safe harbor, we 
think there is an excellent place for that in the overall enforcement 
scheme, and I would comment in particular on our involvement in 
the BBB online privacy sale program, which also meets the first 
line of enforcement requirement for the safe harbor self-certifi- 
cation. We think that takes a good place in that regard. 

With regard to the private right of action, some of my concerns 
would be a little bit on the opposite side of the class action suits, 
and based on observations we have made very recently in the in- 
dustry and with some of our colleagues, that you have similar to 
what is happening with many of the State anti-spam laws, which 
are the spambulance chasers, where individuals 

Senator Burns. Do not get started on spam. 

[Laughter.] 

Ms. Lawler. In any event, what we see is not attorneys getting 
involved looking for large, deep pockets, but individuals perhaps 
turning their own interpretation of the law on its side in an effort 
merely to gain some additional income. 

Senator Burns. Thank you. 

The Chairman. Senator Wyden. 

Senator Wyden. Thank you, and I thank all of our panel. As you 
know, millions of the privacy notices that get mailed out today, 
particularly the ones in Gramm-Leach-Bliley just end up in the 
trash can. They literally show up at the house and into the trash 
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they go, and these notices are particularly important, because this 
is something that empowers consumers, and they get a sense of 
what it is the companies are collecting about them, and for the life 
of me I cannot figure out why it is not possible to come up with 
a short, understandable notice and format, so as to give consumers 
these basic protections. 

I would be curious what would be wrong, in the judgment of this 
panel, with using something along the lines of what is done for nu- 
tritional labeling. This is an effort, it is a requirement, it is done 
the same way on all food products, consumers grow familiar with 
it, they know to look for it, it is truly a useful tool, and I have got 
to think that there is enough ingenuity at this table to come up, 
working on a bipartisan basis with the Chairman and Senator 
McCain, to come up with something like this that would be helpful 
to the public. Maybe we could just start with Mr. Dugan, and I 
have got a few questions for this panel. 

Mr. Dugan. Senator, you raise a good point. In the Gramm- 
Leach-Bliley act, financial institutions have been frustrated by the 
fact that in many cases, although they have gone to tremendous 
time and expense to prepare the notices, as required by the law 
and the regulations, that they have been perceived as too com- 
plicated and too legalistic, and the problem is exactly what Paul 
was talking about earlier, that in order to comply with the detailed 
requirements of the privacy regulations, in order to avoid legal li- 
ability, there is a real fear that if you get simpler you can expose 
yourself. 

Nevertheless, in the wake of what happened with the first round 
of Gramm-Leach-Bliley notices, I think there was a lot of education 
that occurred both with respect to companies and with respect to 
agencies. It is why the FTC had a big interagency privacy short no- 
tice conference in December. It has prompted an effort by the in- 
dustry to come up and look at precisely the kinds of short notices 
that you are talking about, but I have to tell you — and I think that 
is going to make progress. I think we are going to produce some- 
thing over time, but I have to tell you that is something that takes 
some care to do right and do in a way that does not expose you 
to liability. 

It took a long time to come up with a food labeling notice that 
was acceptable to the parties involved and to the Government. I 
think it is very much a worthwhile endeavor and very much a good 
point, and it is something we do need to work on in the privacy 
context. 

Senator Wyden. Are the rest of you comfortable with looking at 
the nutritional labeling concept just as a model? Obviously, food is 
different than technology, but this sector has so much expertise it 
ought to be possible to do something, other than in effect put all 
of this mail in the trash can, and that is what is happening today. 

Mr. Misener. Senator, we would certainly be happy to look into 
that sort of thing. We want to be able to communicate as clearly 
as possible to our customers. I will say that the clear effect of hav- 
ing a private right of action in a bill like this would be to move 
it the other direction. It would become less clear, much more com- 
plicated, much more legalistic, much longer. 
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Ms. Lawler. Let me just add that HP would enjoy very much 
being a part of this discussion. We actually have some best prac- 
tices that we could bring to the table that we are currently pro- 
viding in many of our online places for data collection. There is 
definitely a balance between providing the right level of specificity 
so that you do not open yourselves up unnecessarily to legal expo- 
sure, but I think the overriding principle is definitely clear, simple, 
informed notice for consumers, and I think along with that, though, 
is the importance of real, sincere, earnest consumer education on 
those standards in the labeling that I think are the fair informa- 
tion practices we are talking about. 

Senator Wyden. Let me turn now to you, Mr. Misener, with re- 
spect to industry’s position on why it is important to have a law. 
You all are the No. 1 retailer in this field. I mean, it seems to me 
that if there is an EXXON VALDEZ of privacy, as I have come to 
describe it, this just shatters consumer confidence. This makes peo- 
ple stay away from the kinds of initiatives your company is built 
on. 

I do not see how all of these voluntary efforts — and I think they 
are good, and P3P, for example, is the very good, I do not see how 
they are going to control the bad apples, and I think that is why 
it is important to have one sensible Federal initiative in this area, 
and why we spent a lot of time, as you know, working with you, 
Senator Burns and I and Chairman Hollings, to try to get it done 
right, but aren’t the stakes enormous if nothing is done here, and 
some of those bad apples shatter consumer confidence? 

Mr. Misener. Thank you, Senator, and you have been consistent 
in this position for many years, and we certainly appreciate that. 
If we thought that it would be in the best interest of our customers 
and company to have a bill like this adopted, we would be here lob- 
bying for it. 

Senator Wyden. But just talk about the concept. Understand, I 
am not a sponsor of a bill right now. I am interested in working 
with the Chairman and people like yourself to get something done 
that addresses this, so just talk conceptually about what happens 
if the bad apples 

Mr. Misener. Conceptually, the bill would do nothing to prevent 
the next EXXON VALDEZ of privacy, would do nothing to get at 
the bad actors. It would do everything to expose the good guys to 
litigation. 

The little guys who are potentially the bad actors who are not 
doing well in the market because they are bad actors will not be 
the targets of litigation. They do not have any pockets. The litiga- 
tors will go after the big names. They will go after my company 
and other household names. We see no additional benefit to our 
customers, either existing or future customers, in having that abil- 
ity. 

Just to sort of pile on, on top if it, Senator, we have really es- 
chewed the term self-regulation. You will never hear me use that 
because it implies some sort of altruism on behalf of consumers, 
that companies are going to regulate themselves out of the good- 
ness of their hearts. The reality is, is that companies will lose busi- 
ness. They will lose their existing customers, they will not gain 
new customers if they do not have the privacy protections that con- 
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sumers want, and so this is a market-regulating thing. Just as 
much as the prices of our products are market regulators, so are 
the levels of privacy protections we provide. 

Senator Wyden. Well, again, I am open with respect to the de- 
tails here, and that is why I have not signed on to the legislation, 
but I will tell you, with respect to the key concepts here like pre- 
emption, if there are these horrendous incidents where people’s 
medical records, for example, get out, preemption has gone. Indus- 
try will not get something that they feel very strongly about. You 
will have 50 States off to the races, and the whole matter of pre- 
emption will be gone, and so we hope you will work with us so we 
can get it done right, and that is one of the reasons why I am not 
a sponsor of the legislation today, and I am anxious to work with 
all of you on it. 

A question for you, if I could, Mr. Torres, on the safe harbor, be- 
cause again, this goes right to the heart of how we are going to 
bring together folks in the consumer movement who I have worked 
with for many years, and people in industry. I think with so many 
e-commerce companies hurting right now, really struggling, it is 
understandable why they are nervous about possible exposure 
under a new privacy statute. 

How far are you all willing to go to provide this safe harbor kind 
of concept so that there is a clear path to certainty and safety for 
companies that we end up rewarding the self-regulatory efforts 
that are responsible? How far are you all willing to go in terms of 
meeting industry halfway on the safe harbor idea? 

Mr. Torres. Well, Senator, considering how far we have come on 
this legislation, to go a little bit farther and talk about how to 
structure a safe harbor, we would certainly be open to that as a 
way of recognizing the efforts of some of the better companies out 
there who have responded to consumer privacy concerns. 

Senator Wyden. One last question, maybe for either of the indus- 
try representatives, and Mr. Rotenberg, maybe we could get you 
into this one. 

With respect to access, this, too, is going to be an important issue 
if we are going to get a meaningful piece of legislation. Access is 
what makes consumers feel secure. They know that they can get 
to this critical information. Where is the common ground between 
industry and consumers with respect to access rights? 

Why don’t, Mr. Rotenberg, you and Mr. Misener take this one 
on? 

Mr. Rotenberg. Thank you, Senator. Actually, having been a 
customer of Amazon, I can say that in many ways Amazon has 
been a leader in trying to provide their customers with a very ex- 
tensive display of the personal information that the company has 
acquired, and it is an important way to establish trust and con- 
fidence for the company to disclose to its customers the information 
that it has on them. 

It is really — without access, we are left only with the notices, 
which are largely like disclaimers. The problems, I think, arise in 
other circumstances with companies that have not developed this 
practice that basically say, as this bill seems to suggest, we will 
give you the information about you that you have already provided 
to us, and that is not enough, I think, for most consumers to under- 
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stand what types of profiles are being built, what kind of data is 
being linked, what other information is informing the company in 
its decisionmaking with the consumers, and so it is really over in 
that category of information that I think there is also an interest 
of access. 

Mr. Misener. Thank you, Senator. Certainly, access is very im- 
portant. As Mr. Rotenberg points out, Amazon.com has really at- 
tempted to provide it as best as possible. I think perhaps the bigger 
question here is, given that only 1 percent of consumer trans- 
actions are consummated online, what about the other 99 percent, 
no access at all? Is that the result here? 

I would think a question to some consumer groups might be, why 
fight so hard for this 1 percent and leave aside the other 99? 

Senator Wyden. My time has expired. I would only say to this 
panel I think you all, and the cross-section of people that the 
Chairman has at this table, you all may have the clout to kill Fed- 
eral legislation this year. I think that that would be a big mistake. 
I think it would be a big mistake because a lot of consumers in this 
country would get hurt, and I think it would be a huge mistake for 
industry. 

As you know, I am the principal sponsor of the Internet tax free- 
dom bill to promote commerce online. You have these privacy prob- 
lems, and you undo a lot of what we have achieved with the Inter- 
net tax freedom bill, so what I have told the Chairman is, I am 
going to work very closely with him, because I think it is time to 
get moving, folks. 

I think it is time to get a bill passed, and there are areas such 
as the one I have talked about with respect to the notice provision 
where, instead of putting all the stuff in the trash cans of America 
the way we are doing today, under the various requirements of 
today, we can do something that is constructive by looking at mod- 
els like nutritional labeling, and so I hope you will work with all 
of us. I am going to work with the Chairman and Senator McCain, 
because I think it is time to get going and pass a law, and I thank 
you, Mr. Chairman. 

The Chairman. Thank you, Senator. I enjoyed your observation, 
because let us assume the bill is killed and nothing happens, do not 
worry about it, the States are going to legislate. 

This crowd — I sort of resent polls, and pollster politicians. For 25 
years I never did see one, and now I have got to look at them now, 
because the people do not pay attention until the very end of the 
campaign, and so that is where you have got to put your money 
and your TV, but the bankers are not going to get by, and the in- 
surance companies, and the securities. They are going to legislate 
for you. 

And so the reason we are moving now is because the politicians 
all up here, as much as they dislike private rights of action and 
whoopee, let’s get all the lawyers and everything else like that, 
they even see now that this is the No. 1 issue on every poll that 
every one of these Senators are taking, and that is why we are able 
to finally move, after 7 years. 

I can tell you — and I do not mind putting in a bill for the offline 
the same as the online. I can tell you, 7 years, that will wait 70 
years. That is not going anywhere. I can tell you myself. I used to 
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represent a 123 chain supermarket, and I can see that notice stick- 
ing up in the doorway as you come in about how they are going 
to use the information about what you are buying and sell it 
around. That poor store would close in the next week. They would 
lose all their business. People would be scared. 

Everybody is interested in privacy offline, online, offline, online, 
we all know that, but it has gotten to be such a problem and can 
be managed and will be managed either by the States or the Fed- 
eral Government, and we here at the Federal level cannot let the 
perfect be the enemy of the good. I mean, if we wait around, and 
continue to wait around, we will never get anything done. 

So you folks have brought into focus some real concerns about 
this particular bill. These have been very valuable presentations 
here today. The Committee is indebted to you, and we will proceed 
from this point on. We thank you very, very much. 

The Committee will be in recess, subject to the call of the chair. 

[Whereupon, at 11:55 a.m., the Committee adjourned.] 




APPENDIX 


Prepared Statement of Hon. John F. Kerry, U.S. Senator from 
Massachusetts 

Mr. Chairman, thank you for holding this hearing. This is a continuation of a 
process that began in the previous Congress to develop Internet privacy legislation. 
We are now very near to a bill that empowers consumers to have confidence in the 
security of the Internet and will allow the Web to continue to grow as an engine 
of commerce. 

I think we are getting very close to achieving that balance. The Chairman has 
introduced a bill that I am proud to co-sponsor. It is strongly pro-consumer. Its basic 
premise is that if consumers give their private information out over the Internet, 
it should be used only for the reason it was given, unless the consumer decides oth- 
erwise. 

For the first time, we have legislation that creates two separate tracks for per- 
sonal information — non-sensitive and sensitive. As I have said before, I believe that 
consumers have different expectations for privacy with respect to their shopping 
habits or hobbies than they do their medical information or financial information 
about their religion or sexual orientation. 

And, accordingly, the bill allows operators to collect nonsensitive information un- 
less a user decides he or she does not want to permit such an action. Sensitive infor- 
mation is assumed to be private, unless a user allows the operator or service pro- 
vider to collect that information. 

One of the most important elements of the bill is that it requires operators to pro- 
vide “clear and conspicuous” notice about the collection of personal information. 
Many well-known websites already do this, much to their credit. However, many on- 
line service providers do not have clear, easy-to-understand privacy policies. I be- 
lieve that requiring this robust notice is a “must” for any privacy legislation. This 
bill meets that requirement. 

Another critical requirement of privacy legislation met by this bill is that it en- 
sures that web site operators and service providers must meet only one standard 
of privacy. The bill preempts state laws, so that operators are not faced with the 
cumbersome responsibility of having 51 different privacy notices and 51 different 
ways for a user to opt-in or opt-out, depending on their residency. 

Finally, let me add that technology has an important role to play in this debate. 
Obviously, if I believed technology held all the answers to guaranteeing Internet pri- 
vacy, I would not be supporting the Chairman’s bill. However, it can help Internet 
users feel comfortable browsing, shopping and doing research — be it academic or 
consumer research. The Platform for Privacy Preferences, which I understand 
Microsoft has recently made available to its consumers, holds great promise in help- 
ing consumers determine what sites they can trust and which they are not com- 
fortable with. 

Mr. Chairman, today’s hearing represents another step in the long march to en- 
acting sound Internet privacy policy. As we go forward on this bill there will un- 
doubtedly be some changes and some further improvements. I stand ready to work 
with both you and the witnesses, as well as other interested parties to help in that 
process. 


Association of National Advertisers, Inc. 

April 25, 2002 
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Commerce, Science, and Transportation Committee, 

Washington, DC. 
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On behalf of the Association of National Advertisers (ANA), I am writing to sub- 
mit these comments and questions about S. 2201, the “Online Personal Privacy Act.” 
I would like to request that these comments be included in the official hearing 
record. 

ANA is the advertising industry’s oldest trade association and the only group 
dedicated exclusively to enhancing the ability and protecting the rights of companies 
to market their products and services on a national and regional basis. Our mem- 
bers are a cross-section of American industry, consisting of manufacturers, retailers 
and service providers. Representing more than 8,000 separate advertising entities, 
our member companies market a wide array of products and services to consumers 
and other businesses. Many of our members are actively engaged in e-commerce. 

Privacy protection is a critical issue for both consumers and marketers. The future 
of the Internet and the future of target marketing, which provides the economic 
foundation for economic efficiency and support for the marketplace of ideas, all de- 
pend on our finding a solution to the legitimate privacy concerns of consumers. Mar- 
keters understand that the full potential of the Internet will never be reached un- 
less consumers feel secure in the online environment. 

S. 2201 contains some positive features, such as federal preemption of state laws. 
It is a more sophisticated proposal than earlier legislation, recognizing that all infor- 
mation collected online is not created equal. However, we have several significant 
concerns about the bill: 

(1) ANA strongly opposes the access and security provisions of the bill and the 
private right of action for consumers. These provisions would expose commercial 
websites to tremendous potential liability and class action lawsuits, and in our 
view, are unreasonable. 

(2) S. 2201 would attempt to regulate the entire universe of online commercial 
activity and conflict with numerous privacy laws already on the books. 

(3) The bill would impose massive new costs and major new burdens on every 
business that operates online. 

(4) Mandating the use of a sweeping opt-in approach for all sensitive informa- 
tion raises serious First Amendment concerns. 

(5) The bill would result in a barrage of notice disclosures that would be coun- 
terproductive for consumers and businesses. 

ANA does not believe that broad new federal privacy legislation is necessary. No 
government or combination of governments has the resources to police all of cyber- 
space effectively. We believe that consumers can be best protected through a com- 
bination of existing privacy laws and regulations, privacy enhancing technology, ef- 
fective self-regulation and the backstop of the FTC’s current powers to stop false, 
deceptive or unfair acts or practices. 

The Business Community has Responded to Consumer Concerns 

ANA believes that the findings in the bill do not adequately recognize the efforts 
that the business community has made to protect privacy, or the legal enforceability 
of those steps. 

Almost every major commercial website has adopted and posted privacy policies 
to tell consumers how they collect and use information. The private sector has devel- 
oped three major seal programs (BBB Online, TRUSTe and CPA Webtrust) to assure 
consumers that websites are in fact carrying out their online privacy policies. New 
technologies from “cookie cutters” to P3P, the Platform for Privacy Preferences, are 
providing consumers with the tools they need to protect their privacy. While more 
remains to be done, we believe the online community has made substantial progress. 

The most recent “privacy sweep” shows continued industry progress. That survey 
of the most popular websites was released in March by the Progress and Freedom 
Foundation (PFF) and is available at their website at www.pff.org. 

The survey was conducted by Ernst & Young, based on the methodology of the 
most recent FTC survey. The key findings of the survey are: (1) websites are col- 
lecting less information; (2) privacy notices are more prevalent, more prominent and 
more complete; and (3) consumers have more opportunities to choose how personally 
identifiable information is used. Virtually all of the most popular websites surveyed 
had privacy notices, while 90% of the random sample of websites posted privacy no- 
tices. Self-regulation already has gone a long way and continues to be strengthened 
every day. 

FTC Already has Legal Authority to Enforce Privacy Promises 

Last October, FTC Chairman Timothy Muris announced a major new privacy 
agenda for the Commission, including greatly increased resources, more consumer 
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outreach and education and new enforcement initiatives. At that time, the Chair- 
man stated that the Commission did not need new legislation to protect consumer 
privacy. We share the Chairman’s conclusion that a more vigorous federal cop on 
the beat, combined with the various efforts of the private sector, can provide con- 
sumers with the best protection of their privacy in our new economy. 

Once a company posts a privacy policy, the FTC has jurisdiction to go after the 
website if it does not live up to the privacy promises made. The FTC has brought 
a number of enforcement cases based on this authority. Thus, the statement in the 
findings of S. 2201 that current law provides only “minimal” protections is inac- 
curate. 

The Scope of the Proposed Legislation is Very Broad 

As you know, the United States has historically taken a sectoral approach to pri- 
vacy regulation, adopting specific rules to apply to a specific industry and specific 
perceived problems. As a result, there are more than ten separate federal regulatory 
privacy regimes, including the Children’s Online Privacy Protection Act, the Cable 
Communications Policy Act, the Telephone Consumer Protection Act, the Video Pri- 
vacy Protection Act, the Gramm-Leach-Bliley (GLB) Act, the Fair Credit Reporting 
Act, and the Health Insurance Portability and Accountability Act, to name just a 
few. 

S. 2201 would seem to regulate the entire universe of online commercial activity. 
How would the bill relate to all of the other privacy laws already on the books, such 
as GLB and the health privacy rules? Would companies in those industries be sub- 
ject to yet another inconsistent privacy regime? 

The answer appears to be yes. Under GLB, financial service firms are not re- 
quired to get consumer consent through opt-in before sharing information with af- 
filiates and subsidiaries. GLB adopts an opt-out approach for this information and 
this was one of the most contentious issues in the GLB debate. Yet S. 2201 would 
require an opt-in approach for any collection, use or transfer of sensitive financial 
information, whether to affiliates or any other group. 

One fundamental question that Congress must address is what is the harm that 
the legislation is seeking to address. Consumers have a legitimate concern about 
how health or financial information about them might be used by someone else. 
Thus we have the GLB and health privacy laws and regulations to address those 
specific concerns and potential harms. 

S. 2201 would regulate every part of the online economy, including information 
about how many shirts someone orders from a retailer and what color, size and 
price they were. What is the potential harm that can come to a consumer from the 
use or transfer of that type of general commercial information? Does that potential 
harm justify a sweeping new privacy regime that imposes costs and burdens on 
every business in America that uses the Internet? 

ANA believes it is critical to determine how S. 2201 would be harmonized with 
all the existing federal privacy laws. A major diversified business could easily find 
itself subject to multiple and conflicting requirements and definitions. Conflicting 
definitions and standards on when a consumer may opt-out of the transfer of infor- 
mation to another entity would be very confusing to consumers and could have a 
chilling effect on their willingness to permit information to be shared in the market- 
place. As discussed below, there is substantial economic evidence that such a result 
could impose multibillion dollars of costs on various industry sectors. 

ANA Supports Uniform, Federal Enforcement of Privacy Laws 

If broad privacy legislation is passed by the Congress, then federal preemption 
should be a key part of the package. The Internet is the first truly global medium 
and we must be very careful not to allow Internet privacy regulation to become Bal- 
kanized through multiple, inconsistent state laws. Therefore, we support language 
that clearly preempts state law or regulations on the collection, use or disclosure 
of personally identifiable information obtained through the Internet. 

However, the preemption provision in S. 2201 may not actually go far enough. 
Many of the other federal privacy laws, such as GLB, allowed states to go beyond 
federal law and adopt their own state laws. It is not clear that the preemption pro- 
vision in S. 2201 would have any impact on any of these state laws already on the 
books. 

Access and Security Provisions are Unreasonable 

ANA is also concerned about the provisions of the bill that would require that con- 
sumers receive access to all information held about them by a company. This could 
be a very costly process for a major global marketer with multiple divisions and sub- 
sidiaries. If a packaged goods company has 40 different websites for each of their 
branded products, are they treated as separate entities for purposes of the access 
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requirement? If not, the access provision may require the corporate parent to pull 
together the disparate information held by various subsidiaries to create a dossier 
on a consumer. This, in turn, raises new security concerns about the ability of hack- 
ers or other unauthorized persons to gain access to this newly created profile. 

These issues are very challenging and complex. Several years ago, the FTC cre- 
ated an Advisory Committee on Online Access and Security (ACOAS). After months 
of serious consideration, neither the FTC nor the advisory committee were able to 
establish clear standards on how to implement these policies. 

Everyone agrees on the concepts of access and security, but these issues are the 
true Gordian Knot of privacy. Providing consumers with broad access to informa- 
tion, without adequate protections, poses potential severe security risks. Overly 
stringent security precautions can make access very difficult. 

How is the access to be provided? Online or offline? How was the $3 fee for pro- 
viding a consumer access determined? It seems very low in regard to potential col- 
lection costs for companies with multiple subsidiaries or disparate databases. Does 
the committee have any economic evidence of what the actual costs might be for 
companies to provide access? Without this type of data, it would be dangerous to 
impose this type of maximum fee. Furthermore, even if the fee could be justified 
today, can the Congress really assess what would be reasonable fees into the future? 
A more flexible approach should be developed. 

Not all information is created equal. A consumer may have a greater interest in 
access to sensitive information that a website has collected. Is giving a consumer 
access to all general marketing information collected about him so important as to 
justify the cost and burden to companies to provide this access? Are these costs jus- 
tified in light of potential increased security risks? 

Private Right of Action is Unreasonable 

We strongly oppose the provisions of the bill that would provide consumers with 
a private right of action to sue websites that somehow violate the privacy regime. 

By creating a damage award of at least $5,000 per plaintiff, the bill would put 
popular websites at risk for large class action lawsuits. Companies would be forced 
to spend substantial amounts even to defend frivolous claims. 

Under section 203 of the bill, upon a showing of actual harm, a consumer is al- 
lowed to recover the GREATER of the actual monetary loss from the violation, or 
$5,000. Assume you had a group of 1,000 consumers who allege that a website has 
failed to provide reasonable access to sensitive data and a court determined that the 
actual monetary loss from the violation was $3 per consumer. Under S. 2201, the 
total award for this case would not be $3,000 (1,000 consumers X $3 per consumer), 
but rather would be $5 million (1,000 consumers X $5,000 per consumer). This 
would essentially be a punitive damages model that would strongly encourage litiga- 
tion even if any actual harm were minimal. 

This potential risk could be devastating for many online companies, which often 
begin as start-up firms or small family businesses. The risk would be very signifi- 
cant even for major multinational firms. 

The Opt-In Requirement is Unworkable 

Mandating the use of an opt-in approach for the collection and use of all sensitive 
PII would add tremendous costs and raises serious First Amendment concerns. 

ANA is a member of the Privacy Leadership Initiative (PLI). PLI has carried out 
a number of economic studies to determine the value of information transfer in our 
economy and the potential costs of an opt-in regulatory regime. In the financial 
arena, a number of studies demonstrate multi-billion dollar annual savings from ac- 
curate credit reporting and the avoidance of fraud due to the collection of data and 
data access. In the apparel sales area alone, it was demonstrated that if catalog sell- 
ers were unable to use routine data that they collect from customers and obtain 
third party data, they would have to raise their prices by more than $1.4 billion 
annually. These studies are available at the PLI website, 
www. understandingprivacy. org. 

The PLI studies show that gaining affirmative consent under an opt-in system 
from consumers is a very difficult and expensive process. For example, US West re- 
cently conducted an affirmative consent trial using both call centers and direct mail. 
Outbound telemarketing calls obtained an opt-in rate of 29% of residential sub- 
scribers at a cost of $20.66 per positive response. Direct mail was much less success- 
ful, obtaining a positive response rate between 5% and 11% and costing between 
$29.32 and $34.32 per positive response. US West concluded that opt-in was not a 
viable approach because it was too difficult, too time intensive and too costly. 

Therefore, the cost implications of this legislation could be very substantial. 
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An opt-in requirement, however, implicates issues that go far beyond cost and eco- 
nomic efficiency. Some courts and legal scholars believe that it raises serious First 
Amendment issues. In 1999 in U.S. West v. Federal Communications Commission, 
182 F.3d 1224, the 10th Circuit Court of Appeals held that the government must 
carry out a careful calculation of costs and benefits associated with burdens on 
speech imposed by an opt-in rule. In that case, the court struck down an FCC rule 
that contained an opt-in requirement, concluding that the rule violated the First 
Amendment. 

These First Amendment considerations must be carefully analyzed before a broad 
opt-in approach is adopted, or the government will not meet the requirements laid 
out by the Supreme Court for the protection of commercial speech. 

Balkanization of Information 

S. 2201 treats information collected online differently than information collected 
by other means, such as by telephone, direct mail or fax. Since many businesses pro- 
vide services to their customers both online and offline, this will mean that informa- 
tion will have to be identified and handled based on how it was received. This re- 
quirement will create major incentives to balkanize information about consumers, 
which will result in significant increased costs with little added benefit for the con- 
sumer. 

Merging offline data with online data appears to trigger the massive regulatory 
regime of this legislation. This could create incentives for inefficient information 
practices, as companies seek to avoid the massive liability they could face under the 
private right of action provisions of the legislation. 

S. 2201 would create numerous classes of information that are subject to special 
and differential treatment. This is in addition to the different classes of information 
established by the privacy provisions of GLB and the Fair Credit Reporting Act. 
This ever-increasing Balkanization of information databases is both costly and inef- 
ficient. 

Barrage of Notice Disclosures 

S. 2201 requires special notice disclosures that differ from the notice requirements 
of GLB and other federal privacy laws. It may not be possible to satisfy all of these 
various notice requirements in a single notice. Further, any resulting notices are 
likely to be complex and confusing to consumers. 

Notice requirements are tied to “material” changes in a company’s current prac- 
tices, rather than to the information provided in a prior notice. Thus, even if a com- 
pany disclosed a prospective practice in its privacy notice, the company would still 
need to provide a new notice when it actually changes its policies. This will lead 
to a barrage of notices as new notices are provided in response to relatively minor 
changes in information practices. 

Section 102(d) of the bill states that a website must provide “robust notice” at its 
“first collection of non-sensitive personally identifiable information from that user.” 
However, the section then goes on to provide that “a subsequent collection of addi- 
tional or materially different non-sensitive personally identifiable information from 
that user shall be treated as a first collection.” It thus seems that “robust notice” 
must be provided at every point where “additional” non-sensitive PII is collected. 
This would lead to massive and repetitive disclosure regimes proliferated across the 
Internet and every business sector, regardless of cost effectiveness. 

Sweeping Government Regulation Does Not Guarantee Privacy Protection 

The adoption of sweeping government regulation is no guarantee that consumer 
privacy will actually be better protected. Europe offers a good example. Although 
their privacy laws are generally considered more restrictive and comprehensive than 
those in this country, a January 2001 study by Consumers International indicated 
that European sites appear often to be actually less effective in protecting personal 
privacy than American websites. For example, the study found that despite all the 
rules, 60 percent of European sites lack a privacy policy; only 9 percent of the Euro- 
pean sites ask the consumer for permission to sell information about them. Indeed, 
the study found that U.S. -based sites tended to set higher standards for privacy 
policies. Consumers International, Privacy@net: An International Comparative Study 
of Consumer Privacy on the Internet, (January 2001). 

In fact, Professor Fred Cate of the University of Indiana School of Law has argued 
that the more restrictive European privacy laws also have failed to quell consumer 
fears. Despite wide differences in our legal and regulatory approach, polls on con- 
sumer privacy concerns show nearly identical results in the U.S. and Europe. For 
example, Professor Cate cites a Lou Harris & Associates poll in 1999 that found that 
U.S. and German consumers surveyed demonstrated virtually identical fears about 
privacy on the Internet. See: IBM Multi-National Consumer Privacy Survey (1999). 
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Therefore, any claims that broad privacy legislation mirroring the European model 
will drastically diminish public anxiety about privacy and generate dramatic in- 
creases in online commercial activity do not seem to be founded on solid research. 
Nor can they provide the justification for such comprehensive and restrictive legisla- 
tion as S. 2201. 


Conclusion 


Privacy gives rise to very complex issues and no one, in industry or government, 
has all of the answers. We believe the business community is actively working to 
address the legitimate privacy concerns of consumers. 

The online business community has faced tremendous economic challenges in the 
last year, as companies continue to try to develop profitable business models. Most 
of the survivors began as small businesses and start-up firms. 

S. 2201 is well intended and there are several improvements over earlier pro- 
posals. However, ANA believes this bill would impose tremendous new costs and un- 
reasonable burdens on companies of all sizes, and therefore should be rejected. 

We appreciate your sincere concerns about consumer privacy and look forward to 
continuing to work with you and your staff on these critical issues. 

Sincerely, 


Daniel L. Jaffe, 
Executive Vice President 
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